Payment Application Best Practices from Visa

Monday, March 31, 2008

High profile breaches of cardholder data have garnered a lot of attention in the media.  Most of us have read or heard about the 40 million cards that were compromised at CardSystems, or the 100 million cards compromised at TJX.  As a result of these breaches, the payment industry developed the Payment Card Industry (PCI) Data Security Standard (DSS).  However, complying with the PCI DSS can be complicated and expensive, especially for smaller merchants.  Although we may not read about it in the press, breaches at smaller merchants occur every day because the payment hardware and software they use is not compliant with PCI DSS. 



In an effort to make compliance with the PCI DSS a little easier for merchants who use payment application software, Visa developed the Payment Application Best Practices (PABP).  The PABP applies to software applications that store, process, or transmit cardholder data as part of authorization or settlement.  It does not apply to software developed in-house by merchants since that would be covered under the merchant’s normal PCI DSS compliance. 

Software vendors are required to have their payment applications certified as PABP compliant by a Qualified Application Security Professional that is employed by a Qualified Payment Application Security Company.  Once compliant, Visa will include the software vendor and product version in a list of validated payment applications for one year.  Software vendors must re-validate their payment applications each year to remain on the list. 

The PABP mandates are designed to eliminate the use of non-secure/vulnerable payment applications from the Visa system.  They require that members ensure that merchants do not use applications that retain prohibited data elements and use payment applications that adhere to Visa’s PABP.  If you are using a payment application from a software vendor that is not PABP compliant then you will not be able to comply with the PCI DSS.

As of January 1, 2008 new merchants are not allowed to establish a merchant account using a non-compliant payment application.  Existing merchants should check with their agent or ISO to make sure their payment application is on the list of PABP compliant applications.

Allowing Others to Use Your Merchant Account

Monday, February 11, 2008

We all have friends that ask us for favors and to help them out in a pinch. After all, what are friends for? But sometimes you just have to say "No", especially if they are asking to use your Merchant Account. Allowing someone else to use your Merchant Account is called Factoring and is against Card Association rules (Visa, MasterCard, Amex, Discover). Factoring could lead to cancellation of your Merchant Account and/or hefty fines from the Card Associations.





You might be asking yourself why letting someone else process an occasional transaction through your account is considered such a no no. After all, who gets hurt? The short answer is…YOU!

The issue that arises when you process on behalf of someone else is that your credit card processor assumes the transaction fits your particular risk profile as determined by your SIC code, the underwriting that was performed when you applied for the account, and the ongoing monitoring of your account. Lets say your friend is selling products or services that are inherently more risky than yours. It is likely then that those transactions will experience a higher rate of fraud and chargebacks than you normally incur. This will raise all sorts of red flags at your processor and your account will almost certainly be suspended pending an investigation by the loss prevention department. If it is determined that you were factoring then your account will be closed and you will be placed on the Terminated Merchant File (TMF/MATCH) list. Once on this list, it is nearly impossible to get another merchant account.

Excuses Not To Have a Merchant Account

When your friend asks to use your merchant account he/she will undoubtedly make use of one of the following excuses as a reason not to have a merchant account.

• "I don't make enough money to cover the cost"

A merchant account will typically cost about $25.00 per month for a very small merchant. That covers the monthly customer service fee and minimum processing fee. That works out to be only $0.83 per day, less that a cup of coffee! You might also want to point out to your friend that since they do not advertise that they accept credit cards, who knows how much business is lost to their competitors who do accept credit cards. The increase in business they will get from accepting credit cards will probably more than offset the costs.


• "I don’t have enough money to buy the equipment"

Retail merchants can buy used terminals for less than $100 or refurbished ones for less than $200. If they want a new terminal they can lease one for $10 to $15 per month depending on the make/model with nothing down on approved credit. They could also use a virtual terminal that is accessed via the Internet and requires no up-front investment. Internet merchants can get payment gateways that have no setup fees and cost between $15 and $25 per month for unlimited transactions.


• "My credit is bad"

Generally, as long they are in the United States, don’t have a recent bankruptcy filing, are applying for less than $25,000 a month in credit card processing volume, and not selling any high risk items, their personal credit history should not affect their ability to open a merchant account.


• "My business is seasonal"

Most merchant account providers offer seasonal merchant accounts that are turned on during the months of the year that you choose and turned off during the rest of the year. When the account is turned off no fees are charged to the merchant during those months.

Encourage Your Friends

Don’t let your friends take advantage of you and put your merchant account in jeopardy! Encourage them to invest a little money in their business and open their own merchant account if they want to accept credit or debit cards as a form of payment. Ask them to contact an ISO or agent and open an account today!

We certainly hope this podcast has been of benefit to you. Look for this article in an upcoming issue of "Pingzine" Magazine.

Please call Loud Commerce at 800-931-9835 or contact them and let us create a customized payment processing solution for you including a free no-obligation quote and cost savings analysis.

Merchant Direct Access Service

Wednesday, January 09, 2008

This podcast is brought to you by LoudCommerce.com, and voiced by Lynn Lynn Brooks.com. Today, let’s talk a little bit about “Merchant Direct Access Service”.

Visa offers merchants a service called the Merchant Direct Access Service (MDAS) which allows merchants access to address verification service (AVS) via a toll-free number, using a touch-tone phone. The service is specifically targeted to small mail order / telephone order (MO/TO) or Internet merchants for whom AVS may not be cost-effective. Merchants using MDAS are charged on a “per transaction” basis.

To use the MDAS, you need access to a touch-tone telephone and your Merchant Access Code (MAC) which you can obtain from your merchant account provider. To request an address verification, call the MDAS toll-free number, 1-800-VISA-AVS (1-800-847-2287). An automated voice unit guides you through the process of submitting a customer’s account number and address, and gives you the results of the verification.

MDAS responses are similar to AVS, but do not include a single-letter response code. There are currently five responses that can be obtained from the MDAS:

1. Exact Match: Street address and zip code match
2. Partial Match: Street address matches, but not zip code or zip code matches, but not street address
3. No Match: Neither the street address nor zip code matches
4. Retry Later: Card issuer system is not available at the present time
5. Global: International address; cannot be verified

How to Handle a Large Order

Thursday, December 20, 2007

When you have an order that varies significantly from your typical order size, special care needs to be taken to make sure the order is legitimate. Fraudsters typically place large orders with unsuspecting merchants so you should be wary of shipping out merchandise until you have fully "vetted" the order.  For example, lets say your average ticket is about $200.00.  You just received an e-mail from your store showing that a customer has placed an order for $3,000.00 worth of merchandise and the electronic payment gateway shows that the address verification (AVS) and Card Verification Value 2 (CVV2) was verified. But what now?  Do you ship out the merchandise to the customer and hope that they are legitimate?  Of course not!  The AVS and CVV2 verifications are simply not adequate enough to ensure that the customer is not using a stolen credit card.  Further vetting of the transaction is required.

Vetting the Transaction

Fraudsters will ask that the merchandise be shipped to a different address than the one on the credit card so a good place to start is to look at the Internet Protocol (IP) address of the consumer to see if it is close to the credit card billing address. Some merchants have a service built into their shopping cart software that will verify this automatically. Or you can use a website like Geo IP Tool or IP 2 Location.  Unfortunately, this might not work for all consumers, especially dial-up users on America Online (AOL). For example, an IP address of AOL is 172.192.48.225. Most of these will report back to Reston, Virginia, United States. This does not help you as the merchant, especially if the billing and shipping address is in Colorado.

Contacting the Consumer

Fraudsters will typically not leave a valid phone number and will usually use a free email service such as Yahoo!® or Hotmail®. Don't hesitate to contact the customer on large orders. When calling them you should identify yourself and ask them to verify the order. Don't be afraid to also e-mail the customer and ask them to reply back to the e-mail to verify the order. You might also require the customer to sign a credit card authorization form and fax it to you.

Require a Signature on Delivery

When shipping out the order, ask the shipper to get a signature on delivery. You should also notify the customer that you will require a signature on delivery or else the merchandise will be returned.

Contact your Payment Processor

After you have vetted the transaction and documented your actions, contact your merchant account provider before your daily batch is uploaded. Most processors will place funds on hold if the order amount is significantly larger than the typical ticket size for your account. Tell them about the order and what you have done to verify it. Ask them if they need you to do anything else. When they tell you everything is OK, get the representative's name and / or employee ID number.

Discount Rates

Tuesday, October 09, 2007

This is the first in a series of audio casts talking about the various merchant account fees that are charged by payment processors. It’s important to understand that fees can vary significantly from one payment processor to the next. The only way to make an accurate comparison between processors is to compare their “effective processing rate”. That means, calculating the total monthly processing costs you will be paying and dividing that amount by the dollar volume of transactions you expect to process.

Once you sign up with a payment processor, your Merchant Agreement should show all of the fees you will be charged. You should carefully examine your monthly processing statement and compare the fees you are paying to your agreement to make sure you are being charged in accordance with the agreement. If you see that you are being charged for something that was not on your merchant account agreement, contact your merchant account provider immediately.

The first fee you will be likely to see when shopping for a merchant account is the Discount Fee. The discount fee is the amount that is deducted from each sale you make and is stated as a percentage. The discount fee varies depending on whether you will have a “keyed” account or a “swiped” account. Keyed accounts are those that will have less than 30% of their transactions swiped through a point of sale terminal or card reader. All Internet merchants will have keyed accounts. Currently, the discount fee for keyed accounts with FDIS Loud is 2.19% and for swiped accounts is 1.69%. The reason for the 50 basis point spread is basically a risk premium that is charged because keyed transactions are inherently more risky than swiped transactions. With swipe transactions a merchant can see the card, look to see if the signature box is signed and match that to the signature on the receipt, observe the behavior of the customer, as for ID, etc. With a keyed transaction you don’t have any of these anti-fraud tools available. Therefore, the risk of chargeback is higher, thus the risk premium.

The discount fee that all processors will quote to prospective merchants is called the Qualified Rate. This is the rate a merchant will pay on qualified transactions. Many merchants don’t realize that a large percentage of their transactions won’t be charged the qualified rate. Instead, these transactions will be “downgraded” to mid-qualified or non-qualified and will be charged a surcharge. Whether a transaction is charged at the qualified, mid-qualified, or non-qualified rate depends on a number of factors including the type of credit card being used by the customer, specific information contained in the transaction, how and when the transaction is processed, your industry, and the type of merchant account you have. Internet merchants will typically have a 2-Tiered pricing schedule which means that transactions will either be qualified or non-qualified. Retail merchants with swiped accounts will have 3-Tiered pricing. Without knowing what the mid-qualified and non-qualified rate will be, you will be unable to calculate a true effective processing rate.

Please call Loud Commerce at 800-931-9835 and let us create a customized payment processing solution for you including a free no-obligation quote and cost savings analysis.

Thanks for listening!