A Little History

In 2005, Visa established the Payment Application Best Practices (PAPB), “to provide software vendors guidance in developing payment applications that help merchants and agents mitigate compromises, prevent storage of sensitive cardholder data (i.e. full magnetic stripe data, CVV2 or PIN data) and support overall compliance with the PCI Data Security Standard (PCI DSS)”.  In 2008, the Security Standards Council (PCI SSC) adopted Visa’s PAPB and released it as the Payment Application Data Security Standard (PA-DSS).  The PA-DSS relates to vendors who develop secure payment applications and its goal is to ensure that the applications are PCI compliant and do not store prohibited data, such as full magnetic stripe, CVV2 or PIN data.  The standard requires vendor software applications to be validated for compliance on an annual basis.  

On January 1, 2008, Visa implemented a series of mandates that requires its acquirers to ensure that its merchants and agents only use third-party payment software that is compliant with the PA-DSS. The mandates, in line with Visa’s Cardholder Information Security Program (CISP), intent is to eliminate “vulnerable payment applications from the Visa payment system”.  Failure to do so could result in financial penalties for acquirers.  Since the mandates were established over two years ago, and there have been 4 prior checkpoints, acquirers have had plenty of time to get their merchants geared up for this final mandate and July 1 deadline. 

Visa’s global merchants have until July 1, 2012.  MasterCard has also set a July 1, 2012, global deadline for PA-DSS compliance for its merchants, under their Site Data Protection (SDP) program.  According to their SDP update issued in June, MasterCard will also establish new PA-DSS compliance validation requirement for Level 1, 2, and 3 merchants and Level 1 and 2 Service Providers.

However, Visa is not completely rigid on the July 1 date.  According to an article in ISO & Agent Weekly, Visa intends to work with merchants who do not meet the July 1 deadline.  The exception to this assistance will be for merchants who are purposely avoiding compliance.  (Visa welcomes information regarding merchants who are not in compliance.) 

What Merchants Need To Do

Merchants need to be proactive from the gate.  To avoid non-compliance, and subsequent data security risks, they should not wait to hear the news of new policies from their processors.  They need to stay ahead of the pack by checking the PCI SSC site, as well as staying abreast of any pertinent news from the card companies.  Most importantly, they should always ensure they are using vendors who are PCI compliant.  How can they do that?  For starters, and for the purpose of Visa’s security mandates, they should only use vendors who are on the list of PCI SSC validated payment applications, which have been assessed for compliance with the PA-DSS.  Merchants should also only use vendors who use Payment Application Qualified Security Assessors (PA-QSAs), who are certified by the PCI SSC.  Even if a vendor states their payment application is PA-DSS qualified or have been evaluated by a PA-QSA, merchants should check the PCI SSC site for its validation.  Vendors are on the list for one year for only the software version which has been evaluated.  If a vendor has released a new version, a merchant should only consider using the compliant version and never use a beta version.  The PA-DSS never validates beta versions. 

If a merchant discovers that their vendor is non-compliant with the PA-DSS, it should either switch to a compliant vendor (which many not be as easy as it sounds) or assist the vendor in gaining compliance.  That’s not to mean that the merchant should assist them financially, but guide them if they can.  By working together, they can build a stronger relationship, resulting in secure data protection for their customers and cardholders. 

So, what happens if a merchant uses non-compliant vendor?  Aside from the risk of compromising cardholder data, if a breach occurs, the merchant can be fined by the card associations and/or forced to undergo a forensic audit, which is not free.  Merchants are having a tough enough time in this economy and should not jeopardize their business further by using non-compliant third-party payment processing vendors, nor risk adding costs that can be otherwise avoided. 

References:

Information regarding PCI SSC Validated Payment Applications and Payment Application Qualified Security Assessors (PA-QSAs) can be found at http://www.pcisecuritystandards.org  

Visa CISP – http://usa.visa.com/merchants/risk_management/cisp_payment_applications.html

MasterCard SDP – http://www.mastercard.com/us/merchant/pdf/SDP_Program_Revisions.pdf

Merchants have been complaining for years about the cost of interchange fees and unnecessary profits the banks are earning.  Interchange fees are not regulated by the federal government, which in turn provides Visa, MasterCard and the issuing banks the right to raise fees for any reason.  Merchants and advocate groups claim that capping interchange fees would lower merchant costs and help prevent – or limit – bank profits from unnecessary fees.  For example, credit card companies and the banks that sponsor gas credit cards collect as much as 8 cents per gallon for interchange fees.  The Retail Industry Leaders Association said that last year “Visa and MasterCard represented 71 percent of the credit card market and 88 percent of all interchange fees were collected by the top ten managing banks.”

In 2008, U.S. merchants paid an average interchange rate of 1.82 percent per transaction, according to the Nilson Report, a Carpinteria, Califorinia-based newsletter that tracks the industry.  “A significant advantage of capping or limiting interchange fees would be that it would reduce interchange fee costs most directly,” the report said.  However, this type of legislation could create fees elsewhere in the cycle.

“U.S. card issuing banks receive an estimated $40 billion to $50 billion in income annually from interchange fees.”

A 2003 law to curb credit card fees in Australia was initially intended to lower costs for merchants – hopefully creating a more competitive pricing market.  The law has backfired a bit.  Australian consumers are seeing new costs associated with using a credit card.  Banks have added annual card fees, cut card perks and reduced rewards programs, like frequent-flier miles. The Australian central bank also allowed merchants to impose surcharges to card users.  Merchant fees for American Express and Diners’ Club were not affected because interchange fees are only related to Visa and MasterCard.  However, both card companies decided to reduce merchant fees to avoid losing customers to Visa and MasterCard.

Following the introduction of the Credit Card Interchange Fees Act, President Obama signed the Credit Card Accountability Responsibility and Disclosure Act of 2009, which directed the Government Accountability Office (GAO) to conduct a study of credit card interchange fees.  In November, the GAO released their report.  The GAO assessed four options to address merchants’ concerns:

• Limit or cap interchange fees
• Require the disclosure of interchange fees to consumers
• Prohibit card networks and other entities from imposing rules on merchants that limit their ability to discriminate among the different types of cards, or levy a card surcharge
• Allow merchants and issuers to directly negotiate interchange fees

The GAO determined that proposals to cut credit card merchant fees will be hard to implement.  The report did not conclude, however, if merchants were likely pass on any savings they obtained through lower fees to consumers or encourage consumers to decrease their use of higher rate cards.  They did conclude that disclosing interchange fees to consumers could be confusing and, of no surprise, interchange fees “account for the largest portion of the [merchant] fees for [the] acceptance of Visa and MasterCard credit cards.”

Congress is currently considering three bills that would regulate interchange.  If U.S. regulators put limits on fees or rates, the banks will find another way to generate revenue.  U.S. card issuing banks receive an estimated $40 billion to $50 billion in income annually from interchange fees.  The banks and card companies are obviously against any bill proposing fee and rate limits.  Reflecting on the aftermath of the new credit card rules in Australia, the U.S. Congress has the difficult task of deciding what to do.

Announced yesterday was American Express’ deal to purchase Revolution Money, launched by AOL Co-founder Steve Case’s Revolution LLC in 2007.

The acquisition, estimated at $300 million, will give American Express a foray into new payment channels and, hopefully, will provide Revolution Money customers (merchants and cardholders alike) access to American Express’ existing network.

The RevolutionCard contains no imprinted cardholder data and require a PIN to authorize transactions.  Revolution Money also provides an innovative payment platform and low-cost merchant services, which is highly attractive to business owners – and has provided some strong competition against the larger payment networks (i.e. Visa, MC).

Network availability and matching (cardholders would only be able to use cards at merchants who also processed Revolution Money payments) was one challenge that was facing Revolution Money.  Hopefully, Revolution’s new parent will continue the low-cost business model as well.  With credit card issuers adding new cardholder finance charges  before the credit card act goes into effect and merchants up against unavoidable service fees, a company sticking to a plan to help the economy recover rather than hinder it’s growth would be, well, revolutionary.

American Express plans to add Revolution Money as the first subsidiary to its new Enterprise Growth organization.

Interestingly enough, some states (i.e. New York) allow this practice so long as a sign is clearly posted.  No matter, since the merchant needs to understand that they must abide by the respective card company operating guidelines.  If they violate the rules, they are terminated.  Visa and MasterCard, not the legal system in this case, rule the roost.

Merchant fees, on average, run about 2% of the sale and include items such as, but not limited to, discount and/or transaction fees, card association fees, statement fees, AVS (address verification), gateway fees and monthly statement fees.  Merchants need to accept these fees as a cost of doing business, similar to other operating fees.  Instead of focusing on the cost of accepting card payments, merchants should concentrate on the reduced risk of card payments, which are guaranteed at the time of purchase.  (Exceptions to this payment guarantee would be if chargebacks come in to play at a later date.)  In a time when cash or checks were the only option and consumers felt more comfortable paying by check, a merchant had to wait until the check cleared – and also took the risk not getting paid if a check bounced. The funds from debit and credit card purchases are deposited anywhere from 24 – 72 hours from the batch closing date.

Business owners are constantly finding ways to help their profit margin – by using effective practices to reduce merchant fees and increasing customer loyalty.  Some have their POS systems set to default to PIN debit (merchant fees for debit cards are typically lower than those for credit cards).  Others offer discounts for cash payments.  No matter how a merchant chooses to operate in favor of their bottom line, they have to ensure that they are adhering to card association operating guidelines.  In today’s world, a merchant not being able to accept card payments will have a hard time existing at all.

Heartland’s 2008 data breach is supposedly the largest breach of that year, but not the only one hit by the same hacker. According to Bob Carr, CEO of Heartland, most of the companies affected did not come forward. However, news articles are blasting Heartland for not reporting the 2008 breach earlier so customers and merchants could take action and precautions. While the Department of Justice has been successful in capturing individuals behind the recent data breaches, this should be a strong sign to any company involved with sensitive data that they should be stepping up efforts in the prevention of data loss.

The delay of notification about data breaches is becoming too common and also a source of contention for those affected. The most recent news involved Radisson Hotels & Resorts, who recently revealed a breach which occurred between November, 2008 and May, 2009. According to the Associated Press, Radisson reported that the data breach affected cardholder names, card numbers and expiration dates of their North American customers but they did not specify how many were affected.

One approach to get companies to pay more attention to data security has been to hit violators financially. Visa and MasterCard impose fines for PCI compliance violations (MasterCard has recently increased their fines hoping that companies will take data security more seriously). Class action lawsuits have also been filed against companies like Heartland by customers whose credit cards were affected in data breaches. Lawsuits and the financial impact to companies who handle sensitive data shouldn’t be the reasons they impose stricter controls, but if that is, then companies who have been spared should take that as a lesson.

Following PCI DSS guidelines for securing data is simply not enough. Everyone in the “payment chain” (i.e. point of sale, processors, financial institutions) is responsible for ensuring data security. The stronger each piece is will help to strengthen the overall security of the data.  Additionally, although PCI compliance varies for different levels/tiers of processing volumes ($), everyone in the payment chain should go beyond what is required to protect the data. A processor using a third-party payment gateway should ensure that vendor is PCI compliant. That same third-party vendor should ensure their customers are PCI compliant as well. Finger pointing won’t solve the problem in a world where companies should work together to produce best practices.

Stronger encryption, along with the safety of, and restricted access to, physical data storage are just a few of the basics. Any company who handles sensitive data should have a dedicated team (or at least a key executive) assigned to manage those controls on a regular basis. A self assessment or qualified audit should be seen only as a guidepost. Companies relying only on auditors to determine their compliance are putting their company, and customers, in jeopardy. Being compliant doesn’t mean a company’s data is secure and the auditor cannot ensure that data is secure either. Their job is simply to report on the controls in place for data security.  VeriSign’s 2007 white paper about how to avoid an audit failure provides basic, yet necessary, measures for data security that are still valid, yet likely not practiced enough, today. Companies need to take these measures more personally on behalf of the security of their customer data.

The Independent Sales Office, or ISO, is not only focused on generating merchant accounts for the Processor they are registered with, but are responsible for maintaining their relationships with the merchants that are accepting and processing credit cards through them. An ISO can be anywhere is size from a few people to hundreds and can offer everything from merchant accounts and customer service to technical support and credit card terminals.

As a rule of thumb I tell merchants to do their homework because bigger isn’t always better when it comes to choosing an ISO. One of the main complaints I get is that as the ISO gets bigger, it’s usually at the expense of service or support. Many merchants have told me they are on hold forever and sometimes can’t even speak with a live person. A good ISO will have agents whose job is to create and foster the relationships with businesses and merchants that need brand new, different or additional merchant accounts yet also require a good level of support and service to go with them.

Finding the right ISO and having a good agent to assist you whenever you need will make the whole process pain-free and give you the peace of mind knowing you’re never on your own when you need service or support.

The majority of merchants seem to have no idea just how beneficial accepting credit cards can be for their business. If they just took a little time to learn how the Payment Card Industry works, I am sure I would hear a lot fewer negative comments. There is a common misperception that accepting credit cards or opening a merchant account is expensive, time consuming and just not really worth it. For every merchant that has turned away a paying customer because they wanted to pay with a credit card I ask, “Can you afford not to take credit cards?” More often than not I find myself spending some time with the merchant to let them know what the benefits to their business could be and also explaining the simple process of getting a merchant account.

Once they realize that the main reason they’ve had for not opening a merchant account is incorrect or misguided they want to know more and always have some degree of questions for me. I typically try to find out what their concerns are, begin at the top and work my way down starting with the major credit card companies we are all familiar with and ending with their customers – all the while answering questions along the way.

The big credit card companies are not an actual bank as many think, but have relationships with many different financial institutions, the most common being what you and I think of as a traditional bank. In the Payment Card Industry these are referred to as “Member Banks” or “Acquiring Banks” and have been approved by the credit card company to issue merchant accounts based on certain criteria. The guidelines and requirements are set by the credit card company themselves and must be agreed upon in order for that bank to become a “Member” of said company and therefore qualified to approve accounts allowing merchants to accept that type of credit card. The biggest of these is of course Visa and I will use Visa as the standard for demonstrating any examples. So up to this point we have Visa and a bank that has been accepted as a member of Visa and thus is now considered an “Acquiring Bank”.

Once a bank has been approved by Visa they are able to qualify and approve businesses for merchant accounts. These banks often times also create relationships with other companies to generate more business or to cover a larger demographic or geological area. Since the bread-and-butter for most banks is not in merchant services or the merchant account sphere, many encourage other companies who focus entirely on merchant services to become “registered” with them. In the Payment Card Industry (or PCI) these companies are referred to as “Processor’s” or “Service Providers” and are to able to approve merchant accounts assuming they meet the agreed upon criteria.

Ultimately, the merchant has the final say as to whether or not they are going to accept credit cards as one form of payment for their products or services. The ability of a merchant to accept payment via credit cards is getting safer, faster, easier, and more accessible everyday. The Payment Card Industry is committed to providing the largest array of credit card products, services, and solutions possible in these days where plastic is King.

The first thing that most look for in a credit card is the interest rate. Cards may have a low introductory rate and offer great rates on balance transfers, but these may be nothing more than teaser rates. Reading the fine print can save some from paying as high as a 30 percent APR. Look in the fine print for the variable rate or how high the rate will go after the introductory period.

For some time, banks have been offering rewards cards. These cards give a chance to accumulate points that you can trade in for products, such as airline miles, gas, and even cash.  Even with these cards, due to the amount of money that has to be spent to qualify for any of these rewards programs, people may be better off just buying their own plane ticket or coffee maker. Rewards cards also cost business owners more to accept because they typically have a higher Interchange rate. In the end, the biggest rewards on these cards go to the banks and associations.

Often people with bad credit assume they are not eligible for a credit card. People with poor credit can consider prepaid cards or secured cards. Prepaid cards allow you to deposit a set amount of money onto the card and then the card can be used just like a traditional credit card, even making purchases online. Prepaid cards are a good way for parents to allot money to kids in college without having the risk of them going over the limit like with a traditional credit card.

Secure cards are cards backed by a paycheck. The bank that issues the card is ensured payment because any due funds are typically deducted from the person’s paycheck. If someone simply has bad credit and needs a credit card, they can always opt for a high interest, low limit card. But if they are in a bad credit situation, my advice is to opt out of a credit card altogether.

Some cards are considered specialty cards. There are business cards, contactless cards, and high roller platinum cards. Banks claim that platinum cards have high limits, low fees, and great rewards programs. But like I said before, the color of the card doesn’t matter.

On Tuesday January 20^th, 2009 Heartland Payment Systems, a New Jersey based payment processor, disclosed that they had been hacked. Heartland Payment Systems processes about 100 million transactions a month for over 250,000 merchants. Although Heartland has not released numbers on how many card numbers have been compromised, it has been said that this breach will set a historic record. A breach of this magnitude will no doubt create a surge in fraudulent transactions all across a wide range of ecommerce sites and affect online purchases for a long time.

If you are an online business owner, be prepared for a rise in chargebacks and declined transactions. It is now more important than ever to have systems in place to monitor fraudulent activity. Implementing alert systems that detect a fraudulent transaction before they go through is a way to stay one step ahead. Another is to make sure you require AVS and CVV2 confirmations on your online orders.  Most importantly, have clear purchase terms and conditions on your site.

Only Heartland and the U.S. Secret Service will know the true extent of the breach but I am sure that we will all feel it in one way or another. If you are worried you are a card holder who may have been compromised, immediately notify your bank and have a new card issued. Contact all three credit bureaus and put an alert on your account.