MasterCard also presented on the change in debit and credit card volume and transactions.  According to their research, both debit and credit card usage declined from Q3 2008 to Q4 2008.  Debit card usage has since increased, almost to the Q3 2008 level, while credit card usage has remained close to flat.   Between 2007 and 2009, debit card usage has increased 15-18%, while credit card usage has remained flat; cash usage declined 12-14%; and check usage declined as much as 5%.  (Retail categories included supermarket/grocery, department store, sit-down dining, gas/gas station and drug store.)

“Between 2007 and 2009, debit card usage has increased 15-18%, while credit card usage has remained flat”

This movement from credit to debit could be closely related to the closure of credit lines. The Equifax Credit Trends Report (September 2009), indicated that bankcard issuers are continuing to close accounts and reduce credit lines.  It might be assumed that credit lines are being closed mostly due to the increased in card issuer charge-offs (loans the companies do not expect to be repaid on), as well as to the lack of usage on some accounts.  The Dec 16 charge-offs report included:

• JPMorgan (JPM) charge-offs increased to 8.81% from 8.02%.
• Charge-offs at Capital One (COF) increased to 9.6% from 9.04%.
• Bank of America (BAC) saw a slight decrease to 13% from 13.22%.
• Discover Financial (DFS) saw an increase to 8.9% from 8.5%.
• American Express (AXP) saw a slight decline to 7.6% from 7.8%.

According to the Equifax report, new accounts, opened between July, 2008 and July, 2009 were 54 percent lower.  “American consumers are making the most fundamental change in the way they handle their finances we have seen in a decade,” said Dann Adams, president of Equifax’s U.S. Consumer Information System. “They are conserving cash and reducing debt across the board. We haven’t seen savings rates this high since shortly after the third quarter of 2001 – just after 9-11 – when they were at 3.25 percent.”

While consumer may be losing credit lines, they are not going back to checks and cash.  These bank activities have created a push towards debit cards, since consumers today prefer cards to cash and checks.  Consumers are either using check debit cards (tied to their bank accounts) or switching to open loop, reloadable prepaid cards.  The latter card type is especially increasing in popularity amongst teens, college students and the unbanked segment.

All reports on bank card usage make it pretty clear that card usage is not declining and shows no signs of disappearing.  With checks soon becoming a payment method of the past, payment cards usage will increase even more. The most recent action comes from the UK Payments Council, the body for setting payment strategy in Britain.  Comprised of Britain’s leading banks, the council agreed on Dec 16 to set a target date of October 31, 2018 for closing the check clearing system. UK supermarkets, high street retailers and petrol stations have stopped accepting checks, but they are still a popular form of payment among elderly people, many of whom find the idea of using automated cash machines intimidating.  “The next generation probably won’t even have a checkbook,” said Addy Frederick, a spokeswoman at the payments council.  Checks have all but disappeared in high-tech countries like Sweden and Norway and their use is under review in Ireland, South Africa and Australia, Frederick at the council said.

The Open Web Application Security Project (OWASP) was created to help improve the security of application software. The project, whose online home is a wiki site, is a forum community open to anyone and its primary mission is to promote the visibility of web application security. The project also exists to aid organizations in making educated decisions about the security risks of web applications.

In an effort to establish an industry benchmark for the amount of dollars spent on web application security, the project conducted a survey and released the OWASP Security Spending Benchmark Report in March, 2009. The survey was conducted through the project’s 17 partners and resulted in valid responses from 51 organizations. The goal of the report was to measure spending habits regarding the development of web applications with secure code. However, it revealed a lot more.  The report revealed that only 61% of the 51 organizations surveyed used an independent third-party security organization to review their web application software code prior to going live. Twenty-two percent did not have an answer or only perform a review when requested by customers. Web application security only accounted for 10% of the overall security spending in 36% of the organizations. Additionally, a majority of the security checkpoints during the software development lifestyle occurred during the testing phase. The consensus is that checkpoints should occur at every stage, so as to find security issues earlier in the development process.

While organizations are spending money on data and application security, the costs are mainly based on regulatory compliance. The report also showed that over a third of the organizations surveyed also do not use web application firewalls to monitor or defend applications. The culmination of this information should raise a red flag for consumers and merchants alike (especially for merchants relying on third-party developers for their web applications).

According to Verizon’s 2009 annual Data Breach Investigation Report, the data breach was discovered by third parties in 69% of cases. The study, based on data analyzed from 285 million compromised records from 90 confirmed breaches in 2008, also found that 81% of affected organizations subject to the PCI DSS had been found non-compliant prior to being breached. The team conducting the study also stressed the importance of web application testing. 

In an attempt to assist developers in addressing application security risks, the OWASP created a Top 10 list of the most significant web application security vulnerabilities. More importantly the Payment Card Industry Data Security Standard has adopted the OWASP Top 10 with regards to secure coding guidelines. It is not a complete list, but considered a good starting point for developers writing secure code. The OWASP Top 10 list (created in 2004 and updated in 2007) is outlined below.

• A1 – Cross Site Scripting (XSS)
• A2 – Injection Flaws
• A3 – Malicious File Execution
• A4 – Insecure Direct Object Reference
• A5 – Cross Site Request Forgery (CSRF)
• A6 – Information Leakage and Improper Error Handling
• A7 – Broken Authentication and Session Management
• A8 – Insecure Cryptographic Storage
• A9 – Insecure Communications
• A10 – Failure to Restrict URL Access

What merchants need to know is that they cannot rely on firewall, network or host layer security to prevent data threats. If they are left to rely on developers and payment processors for payment security, merchants should be managing, or at least overseeing, these efforts to ensure that their e-commerce payment applications are tested completely before going live. If they are outsourcing application development, merchants should also review the development organization’s current customers as well as any history of data breaches involving the development organization and its web applications.

OWASP plans to release the benchmark report on a quarterly basis. This should help provide more exposure and a call to action in support of secure coding in e-commerce web applications.

Here are some tips to ensure your account is set up correctly:

1.      Processors are being more diligent in setting up guidelines, like monthly minimums and high ticket limits, and sticking to them. Setting up a merchant account with incorrect parameters can cost your business a lot of money. A tile company was set up with a high ticket limit of $600, and made a sale for $3000. The money was held by the processor and awaited verification from the customer with their issuing bank. The customer was unavailable to make the verification for 2 weeks. The tile store did not receive their money for the entire 2 weeks. Make sure you explain to your sales agent your specific volume needs and avoid the unnecessary headache that can be associated with large purchases.

2.      When selecting a merchant services provider for an online business, it is important to ensure that you have adequate reporting. With an online business, you don’t get to see your customer face to face. You have to have a way of retrieving customer information in the event an issue arises.  Make sure to see a demo of the reporting the online system will be using.  This will save you time and money when going to see your accountant too. If an issue does come up, will there be a live person you can talk to?  Make sure you have access to 24/7 live support.

3.      Ask about Underwriting, Risk Monitoring, and Fraud management systems.  Is the company you are processing with PCI DSS Compliant? It is important that your and your customer’s data is secure. If you fall into a High Risk category, can the company you chose still get your money to you in a timely manner? Will they expect money to be put in reserve, and if so, for how long? Does the chosen company have a system for monitoring fraud? Many providers don’t have an early warning system to alert merchants in the event of stolen credit card purchases.

The more your sales agent and processor know about your business, the better your overall service, rates, and technology will be. Look beyond the rate and pick a partner that will help your business grow.

Once your business is online and your shopping cart has been built, you have to select a payment gateway. Many merchants select their payment gateway based on what their merchant services provider tells them. There are hundreds of payment gateway options out there, and not all of them measure up.

A gateway facilitates your online payments by connecting your secure order from your merchant account to a processing bank. Something as important as the transfer of money should take some research. When selecting a gateway, consider available features, reliability, and support.

Some well known gateway options may not be your best bet. Authorize.net is a gateway that offers nothing more than a name. When it comes to support, this popular option falls short on all levels. Forty-five minute hold times, getting the run around from the help desk, and being a one trick pony are all this gateway has to offer.

An important item to look for in a gateway is ease of integration. If you don’t have a lot of money to spend on programming, or you are new to programming, you should select a gateway that allows you to follow some easy copy and paste steps to get your site up and running with all the payment options needed. A payment gateway should have a platform for identifying and preventing chargebacks without you having to take time out of running your business.

Some additional features to look for are a robust CRM and a strong customer database so you can run promotions and take care of your customers. A good payment gateway allows you to take payments in multiple fashions, such as recurring billing, bill me later, and ACH. There are gateways out there that even do your marketing for you. One such product is the Check-Out Box .

When selecting which gateway is going to support your business, cost should be the last deciding factor. Many online gateways may have low startup costs, but have hidden costs for additional features. For example, Authorize.net considers E-check and recurring billing to be additional features with additional charges.

I hope this sheds some light on those of you looking for a gateway solution. I invite those looking for a strong gateway to ask questions and give their opinions on gateway experiences you have had.

There are many different shopping cart options for people to choose. Every online business is different, and shopping carts are customized to fit your business needs.

First, when looking for your business’s shopping cart, it is important to know what features you would like it to accommodate. Most shopping carts can total orders, calculate tax and shipping costs, and transmit information via a payment gateway to process a sale.

The second important item to keep in mind when selecting your shopping cart is whether or not it is compatible with your payment gateway. Not all shopping carts like to play in the same sandbox. For example Authorize.net is a well known industry gateway. However, even this industry giant does not work with Yahoo’s shopping cart. It is always good to check with your web developer before signing up with a specific gateway. Some smaller gateways, such as Transaction Central, may be compatible with a limited number of shopping carts, but provides many customizable features.

Some other features to look for in a shopping cart are:

• Recurring billing capabilities
• Back end reporting
• Checks on-line
• Manual batching
• Multi-user access
• Future options – can peripherals be added if you choose to use this to expand your business to a retail store front?

It is also important to check with your web developer to make sure you get a SSL Certificate (Secure Sockets Layer). This is required by almost all gateways and ensures that card holder data traveling over the internet is encrypted. It is decrypted once it is received by the processor.

There are many shopping carts out in the market, so it’s best to write down all the features you want before beginning your search.

I am continually shocked by the number of Visa and MasterCard violations made by merchants I shop with a daily basis.

Here are a few mistakes I’ve personally witnessed merchants make:

1.       Many cards say “Check ID” on the back instead of a signature, because many consumers feel that not signing the back of their card will make it harder for their signature to be forged. Merchants typically ignore the fact that the card says “Not Valid Unless Signed.”

2.       There are no direct rules that keep a merchant from asking for a cardholder’s ID. A merchant cannot refuse to complete a purchase because a customer does not have valid ID. In most contracts that I have read between a merchant and their acquirer, merchants are required to follow specific Visa and MasterCard procedures. The ones I have reviewed clearly state in the terms and conditions of the agreement that a merchant is prohibited from refusing a sale due to a customer not having a valid ID.

3.       I eat lunch at many places that say I have to purchase a minimum amount in order to use my credit card.  It is actually in violation of the credit card companies’ terms and condition to refuse a transaction because it is below the “minimum”. Both MasterCard and Visa clearly state that a maximum or minimum transaction amount cannot be a requirement when accepting cards.

4.       You may have noticed gas stations charging a surcharge on credit card transactions. I often get calls from merchants asking to add a surcharge to offset the cost of taking credit cards. According to Visa’s card acceptance guide you many not charge a consumer a fee because they used a credit card. You can however offer them a discount for paying with cash or a gift card. There can also be convenience fees that can be charged to consumers who choose to place a telephone order or an internet order. This fee can’t be a percentage of the sale – it must be a flat amount, and it must be disclosed to the customer before it is assessed.

5.       Factoring is strictly prohibited by the card associations. You must process cards only for the type of business your merchant account is under. For example, I had an auto body shop that one day decided to fix abandoned cars. The merchant started to sell the cars in a lot they purchased next door. In this case the merchant should have opened a second merchant account. Their funds were held and their account was almost shut off.

Merchants found in violation of Visa and MasterCard rules can be reported by completing a violation form with either the bank that issued the customer their card, or on Visa or MasterCard’s website. Merchants can be fined or shut down. Make sure you do research before you decide to create and post a store policy, so you can avoid getting reported for violating card association rules.

ACH is only used in the United States and Puerto Rico. Similar systems exist in other countries but they have different names and run on separate networks.

Many articles say this is a safer way of taking checks because you don’t have to worry about looking for forged or counterfeit checks. But one thing I learned the hard way is, if you are a merchant and you are using the ACH process you may be in for a huge run around if you have a chargeback. An ACH chargeback does not occur in the same way that a credit card chargeback occurs. A merchant’s bank account can be debited as soon as the consumer reports to their bank that they did not authorize the transaction. The difference is the merchant will not receive a letter requesting proof of the transaction before, or after, the debit occurs. Instead, the merchant will have to dispute the charge with the customer’s issuing bank directly. You may find yourself spending hours on the phone between the gateway, merchant services provider and the customer’s bank.

Another risk when running an ACH transaction is that the money can still remain in a customer account for 2 to 3 days after the transaction is run. This causes a greater risk for bounced checks. Fortunately, if one of your customer’s checks should happen to bounce, you do have some recourse. The most common thing to do is a “Re-Present”, this means to wait a few days and then run the check again. Also, it is generally a good rule of thumb to contact your customer and seek out another form of payment.

There are other options such as Real-Time Electronic Check Conversion. Merchants that receive a lot of bounced checks from customers can use this process to eliminate the high cost of NSF fees. Electronic Check Conversion gives the merchant the option of verifying that there are sufficient funds in the account to cover the check and eliminates the potential risk of a check bouncing. The check is scanned through a check scanner, much like those you may have seen at your local retailer, called an imager. The customer does not have access to these funds as they are on hold. There is a cost to running Electronic Check Conversion and it is typically a percentage of the total check amount.

Let’s face it – we all strive to have that BMW as opposed to a Dodge Neon, and even shop around for the best appliances. Knowing this, have you ever stopped to wonder why we, as business owners, opt for the lowest bidding credit card processor for something as important as our business?

As with other products, cheaper does not necessarily equate to better. How about reliability? If your customers are charged the wrong amount, or transactions are declined due to an unreliable or inaccurate gateway, who do you think they will blame? That’s right, YOU! Consider this – is the money you’re saving using the cheapest solution worth the cost of losing future business?

Let me share with you this example, a few weeks ago, a merchant was having trouble getting cards approved on his website. He then had his funds held by his processor. His merchant services provider told him it was his gateway and conversely, the gateway provider told him it was his merchant services provider. Needless to say, this merchant chose his provider based on the lowest bid, and what he got as far as service and reliability was a whole lot of finger-pointing and denial of liability.

I’m sure as business owners you are bombarded with calls and mailers from merchant services companies on a daily basis claiming their fees are the lowest. Fees for merchant services are an unfortunate reality, irrespective of the processor you choose, so it is important to choose the right company to partner up with. Here are some things you should know when deciding on a merchant services provider:

• Make sure whatever gateway you choose is compatible with your shopping cart software.
• Rates and fees are determined by many factors: length of time in business, percentage of sales made over the phone or the internet, type of business, personal credit rating, and dollar amount of sales per month. A typical rate should be about 2.30% to 3.5%, but some companies charge as high as 6%. Poor personal credit or business type may warrant a much higher rate.
• Do not agree to a high discount unless you are sure no other company will process your charges for lower.
• Be sure to ask about all fees involved such as Gateway fees, ACH fees, monthly minimums, Address Verification Fees, transaction fees and statement fees.
• Read all agreements closely to determine the circumstances for which your money can be put on hold.
• Find out if there will be a hold or reserve on your account. If so, how much with be held and how long will it be held for?
• What types of fraud and risk monitoring does the processor and gateway provide?
• Who do you call when you have questions? For instance, a processor offering its own gateway is a better choice since there will be fewer support calls to make in the event of service interruption.

In my experience in this business, I have come across numerous merchants that got exactly what they paid for – very little.

Take my advice, do your homework and don’t settle for the lowest bidder.

First, it is important to understand the different types of transactions that can occur when running a credit card sale:

• Retail swiped account transactions will get a Qualified Discount Rate, which is the lowest rate possible. In this type of transaction the card holder is present, they are using a standard consumer credit card, and once the card is swiped the transaction is batched within 24 hours. If any of these criteria change, you could downgrade to a MID-Qualified or a Non-Qualified transaction, thus increasing your rate.
• A keyed transaction, or manually entered transaction, will get a MID-Qualified Rate. This can also occur if AVS (Address Verification Service) is not entered when the customer uses a rewards card, or if the transaction is not batched within 24 hours.
• A Non-Qualified transaction occurs when a card is key-entered with no AVS info, or if a Corporate, Government, or International Card is used.

If you are not able to swipe a card because you are using an online payment gateway, how can you also take advantage of better pricing? When processing a MOTO (Mail Order Telephone Order) or Ecommerce transaction make sure to do the following.

• Make sure all required AVS information is entered
• Set your payment gateway or terminal to batch or settle within 24 hours
• Enter an Order or Invoice number
• Make sure to enter the CVV2 number

Many different factors can determine the rate you are assessed on your transactions. If you know you are going to be taking card types that will typically fit into the Non-Qualified category described above, be smart when setting up your credit card processing account – make sure to find out what your Non-Qualified rate will be. Be sure to find out all the fees involved before signing on the dotted line.