Announced yesterday was American Express’ deal to purchase Revolution Money, launched by AOL Co-founder Steve Case’s Revolution LLC in 2007.

The acquisition, estimated at $300 million, will give American Express a foray into new payment channels and, hopefully, will provide Revolution Money customers (merchants and cardholders alike) access to American Express’ existing network.

The RevolutionCard contains no imprinted cardholder data and require a PIN to authorize transactions.  Revolution Money also provides an innovative payment platform and low-cost merchant services, which is highly attractive to business owners – and has provided some strong competition against the larger payment networks (i.e. Visa, MC).

Network availability and matching (cardholders would only be able to use cards at merchants who also processed Revolution Money payments) was one challenge that was facing Revolution Money.  Hopefully, Revolution’s new parent will continue the low-cost business model as well.  With credit card issuers adding new cardholder finance charges  before the credit card act goes into effect and merchants up against unavoidable service fees, a company sticking to a plan to help the economy recover rather than hinder it’s growth would be, well, revolutionary.

American Express plans to add Revolution Money as the first subsidiary to its new Enterprise Growth organization.

A Little History

The PCI Security Standards Council (PCI SSC) was formed in December, 2004 by the major card brands (Visa, MasterCard, American Express, Discover and JCB) to educate and enhance the security standards in the credit card industry.  Prior to 2004, each card company had developed their own set of data security standards programs:

• Visa – CISP (Cardholder Information Security Program)
• MasterCard – SDP (Site Data Protection)
• American Express – DSS (Data Security)
• Discover – DISC – (Data Security Guidelines)

Some of the requirements were redundant and merchants were confused as to which one to follow. Even if a merchant only accepted Visa and MasterCard (bundled together in merchant processing agreements), there were some differences in each of their security programs. The agreement within the council was that if a merchant is CISP compliant, all the other card companies would consider the merchant to be compliant. After all, Visa has been the principal initiator for compliance over the years, with the other companies following suit with their own flavor. Additionally, the council agreed upon a uniform set of standards (PCI DSS) to simplify compliance for merchants.

The Standard Today

The PCI DSS (Payment Card Industry Data Security Standard) is the generalized term for PCI compliance today and governs all payment channels – retail (swiped), mail order, telephone order and e-commerce. It is divided into 12 security requirements, originally developed by Visa in 1999 (known then as the “digital dozen”).

The Standards Security Council does not validate PCI compliance or impose fines for non-compliance. What they do is own and enforce a uniform set of data security standards as well as provide training and certification for Qualified Security Assessors (QSAs) and Approved Scan Vendors (ASVs). The QSAs and ASVs exist to validate compliance and to interpret the PCI DSS for merchants and acquiring banks. On the flip side, each card brand has outlined specific fines for non-compliance and merchants are fined accordingly. For example, Visa imposes a $5,000 fine for a mid-sized retailer who is not in compliance with the PCI DSS. The good news is that in January of 2008, according to Visa, more than three-quarters of large U.S. merchants, and nearly two-thirds of medium-sized retailers, are in compliance with the Payment Card Industry Data Security Standard (PCI DSS). To further promote PCI DSS, Visa has also imposed financial incentives for compliance.

Although important for merchants to follow the current compliance standards, it is more important for merchants, software developers, payment processors and acquirers to be proactive in data security. Hackers will always be out there trying to break in, even if just to say they can do it. The PCI SSC is doing a good job, but I give kudos to anyone staying one step ahead of the game. Be a leader, not a follower.

Income has dropped 8.7%, the biggest drop since 1947, and Americans have slowed down spending on everything from cars to appliances. American Express typically charges absorbent fees to merchants to begin with – in some cases double and triple that of Discover, Visa, or MasterCard. So how can they be in trouble?

American Express may have stabbed itself in the foot with card holders and merchants alike. AMEX cardholders are seeing their spending limits reduced because of where they live, where they shop and which institution holds their mortgage. This to me sounds like discrimination as opposed risk control. It is for these reasons that many are closing their AMEX accounts.

When reducing credit limits to card holders, AMEX sends a form letter that states:

“Our credit experience with customers who have made purchases at establishments where you have recently used your card…”

or

“Our analysis of the credit risk associated with customers who have residential loans with the creditor indicated in your credit report…”

AMEX may be reassessing card holder risk, but they are losing money by making it harder for card holders to use their cards. Many business owners rely on AMEX cards to fund travel costs and other company expenses. If their limits are lowered, and cards are being shut off, small business owners will have to begin laying off employees and downsizing operations. I am surprised imposing this type of card holder discrimination is not illegal.