We’ve just completed a simple credit card logo generator and have included an API for web designers to use as well.

The API supports different logos for card issuers, paypal, google checkout and a few other. A developer can use the API to specify the size, background color and the order of the logos that they need on their website.

Update 05-2013 - Added Bitcoin and Google Wallet.

Update 03-2013 - Added Skrill, Verified by Visa, and Mastercard Secure Code logos.

Update 08-2011 – Added ebillme and 2checkout.com logos.

Here’s a quick tutorial and a few examples of how to use the API.

1. Create an image tag with the root url: https://www.merchantequip.com/image/
2. Next add the bgcolor parameter to specify a 3 or 6 character HEX background color for your logo. If you do not know the background color: FFF is white, 000 is black. Here is a full HEX color chart. There are also a variety of browser addons if you need to match the exact colors of your website.
3. Next specify the actual logos that you would like to add to your site, in the order you would like to display them. Separate the logos with a pipe | character. Example: v|m|a|d for Visa then MasterCard followed by Amex and Discover.All of the available logo codes are:
   • v = Visa
   • m = MasterCard
   • d = Discover
   • a = Amex
   • g = Google Checkout
   • p = Paypal
   • bml = Bill Me Later
   • ec = eCheck
   • jcb = JCB
   • dc = Diners Club
   • s = Solo
   • me = Maestro
   • mb = Moneybookers
   • az = Amazon Payments
   • in = Interac
   • ebm = eBillme
   • 2co = 2checkout.com
   • vbv = Verified by Visa
   • msc = Mastercard Secure Code
   • sk = Skrill
   • bit = Bitcoin
   • gw = Google Wallet
4. Finally specify the height of the logos. The images currently come in 32px and 64px, so size accordingly allowing for a small margin around the images. We will be allowing for dynamic resizing in the future, but for now the only 2 sizes supported are 32px and 64px. Any additional height will be added as a margin.

The actual image url should look like (these are all generated through this exact API):

https://www.merchantequip.com/image/?bgcolor=FFFFFF&logos=v|m|a|d&height=32

The image HTML will look like:

<img src=”https://www.merchantequip.com/image/?bgcolor=FFFFFF&logos=v|m|a|d&height=32″ />

The logo above will display as:

Here’s the same logo using the larger image sizes:

Here’s all of the currently available logos:

While this tool is free to use we greatly appreciate a backlink or credit if you are using images that are hosted through the API. These images are all served securely over SSL, so they may be used on secure/SSL websites and ecommerce sites without errors.

If you have no idea of what an API is or just need logos for your website, please use the credit card logo generator and ignore this post.

Thanks again.

The state of Illinois has issued a cease and desist against Square Inc. (pdf) for violating a money transmitter act and is requiring them to cease all money transferring activities with any resident of the state.

What this basically means is that Square is not operating within money transfer regulations by Illinois’s interpretation of Square’s practices. Much of this is directly focused on anti money laundering regulations. It is extremely easy to setup an account with Square and there are numerous reports and even instructions on how to use Square for illicit businesses, it’s not surprising that this has come to a head.

It will be interesting to see how this plays out and if other states take the same interpretation of Square’s business practices.

I know that the traditional processing industry has been less than thrilled at how Square is allowed to conduct business and solicit customers.  Much of this may be a natural reaction to a fierce competitor. However the reality is also the observation of Square’s apparent rejection of the rigorous standards that are required by existing credit card processors. While regulations are often a burden and a barrier to progress, many of these standards are in place to prevent fraud and combat money laundering. To be blunt, Square came across as completely ignoring many of standards just to reduce their own barrier in getting a customers processing account setup.

The IRS 6050W mandate passed in 2008 requires credit card processors to report merchant processing revenue to the IRS for each year of active processing. The IRS essentially thinks business owners are cheating on their taxes and are using credit card processors to try and identify egregious tax dodgers. Merchants with tax related information that is incorrect when their processors files a 1099-K will be subject to having funds held by their credit card processor. Last year, we were given a bye and didn’t have to hold merchant funds for those merchants with incorrect TIN information. This year appears to be different and processors will be holding funds per IRS regulations. We’ve already seen numerous cases where Amex was forced to put a hold on merchant’s funds.

You may have recently received notice from your credit card processor of your TIN or corporate name mismatching, or simply a notice to verify your processor has the correct TIN/EIN number and corporate name on file for your business. Do not ignore these notices!

It is extremely important to make sure this information is up to date and is correct with your processor. Incorrect TIN information can result in your processor being forced to hold the money being processed through your merchant account. American Express is a separate entity and you need to make sure that your TIN information is correct with American Express separately from your merchant account.

To update this information, you will be required to provide your credit card processor or American Express with an accurate W9 form. Completing this form properly is critical to preventing a TIN mismatch. This form must be filled out with the exact information you used to register your TIN with the IRS which is also the same information required when filing your taxes. A single misplaced letter or punctuation, the incorrect type of business, or an incorrect TIN will cause a mismatch. The IRS doesn’t have an adequate system for your processor to verify this information, or lookup the correct information, so it is up to you to make sure it is accurate. If you don’t know the TIN or the exact name you established your TIN under, you can contact the IRS to get the correct information.

Make sure this information is correct with your processor and with American Express to avoid having your money held.

A result of the recent card association / merchant settlement is that merchants may now place a surcharge on their credit transactions. We’ve already been getting a lot of phone calls about this, so let’s go over a few of the basics. You should also review Visa’s official information on surcharging for the in-depth details.

If you live in California, Colorado, Connecticut, Florida, Kansas, Maine, Massachusetts, New York, Oklahoma, or Texas forget about it. It is illegal in your state to add any surcharge on a credit transaction and state laws always trump operating regulations facilitated by private entities.

If you live in one of the other 40 states, you may be able to surcharge beginning January 27th, 2013.

In a nutshell, here’s what’s going to happen. Make sure you check with Visa’s and other association websites before adding a surcharge to ensure you are complying with all of the implemented rules and regulations.

• Notify Visa and your acquirer at least 30 days in advance of beginning to surcharge.
• Limit surcharging to credit cards only (no surcharging debit and prepaid cards) and limit the amount to your merchant discount rate for the applicable credit card surcharged.
• Disclose the surcharge as a merchant fee and clearly alert consumers to the practice at the point of sale – both in store and online – and on every receipt.

Remember, you cannot surcharge a debit card no matter how it is processed. You cannot surcharge if you accept American Express or Paypal. You cannot charge a prepaid card no matter how it is processed. You cannot under any circumstance charge more than you are paying to accept that specific card. There are specific rate limits listed on Visa’s website.

Although this may seem like a beneficial and obvious solution to some merchants, I strongly urge you to take a good look before implementing a surcharge. Shifting a cost like this is not going to fare well with many customers. I would personally not make a decision like this lightly. If you do decide that you want to surcharge, make sure you have a plan to test and back out if necessary. As proven in Australia, surcharging credit transactions has the potential to drastically alter payment preferences and will often upset a customer no matter how the surcharge is presented. In the world of social media, surcharging has the potential to generate a lot of bad publicity, very quickly, if you upset the wrong customer base.

Lastly, don’t be surprised if this change in regulation is retracted in the future. Consumers drive commerce in the US and they certainly will have their shot at overturning surcharging if they feel that it is unfair.

We’ve been speculating since Square got started that it would quickly infiltrate illegal markets. Partnered with prepaid debit cards, it offers an almost 100% anonymous method of accepting credit cards.

While reading some actual stories of drugs being purchased via debit card through a square reader, I went and did some searching on Google. To my surprise, not only are there multiple articles and instruction on how to accept debit cards for illegal sales, but Square is actually advertising for drug dealer related search terms. What a nice company.

Here’s a daily scenario that I come across. A website owner / entrepreneur / service provider / auction site / startup / etc., wants to create their awesome online platform that will allow vendors to sell and customers to buy, and they simply want a small percentage of the transaction. There are about a million different ways to describe this, but in the end the result is the same, the vendor gets payment, the site operator takes a small percentage, and the customer gets their product or service.

Now on the surface this is a completely rational credit card processing setup that many businesses could benefit from. In reality, processing like this is an extremely risky method that can and often does result in substantial losses for the party running the platform and the credit card processor. Let’s run through why these scenarios often don’t work and are prohibited by every normal payment processor out there. The technical term for this is called aggregating, and coincidentally it is exactly what Paypal, Square, and other 3rd party payment processors do.

In these scenarios we have 3 parties, the customer making the final purchase, the vendor who is selling their product or service, and the platform that is providing the mechanism or bridge between the vendor and the customer. This could be a anything from a commission based shopping site, an event coordinator, an action house or website, or any number of business ideas where a middle party provides the connection and mechanism between vendor and customer, but doesn’t actually provide the service themselves. The idea is that the platform seamlessly collects the payment from the customer and then pays the vendor after taking their small percentage fee for the service. Since they have a number of vendors using their service, they typically want to setup one merchant account to accepts payments with and use their own internal accounting to handle the proper payments.

Chargebacks…

What this creates is a major liability vacuum where the party that receives the majority of the payment, is not the party that is contractually responsible to the customer’s bank. When the customer decides they didn’t like the service and they make a chargeback, the platform loses the money and then must go back to the vendor to get reimbursed for their customer’s chargeback.

Just to illustrate how much risk  and exposure the platform takes on this, let’s just say the platform charges the vendor an arbitrary 5% per sale in fees and commission. At 5%, the platform is taking 2,000% exposure on every dollar they earn through their system, without taking processing fees into consideration. To be redundant, for every $1 in revenue the platform keeps, they have $20 in liability for at least 180 days.  Even at 10% in fees, they are exposed 1,000% on the dollar. The vendor ends up with 95% or 90% of the amount payed, while the platform still holds the liability for the entire 100%. This problem is further compounded when you consider that a card holder has 180 days from the date of the transaction to file a chargeback with their issuer. The bigger picture presents potential liability and challenges that far exceed what most businesses could ever accurately plan for. The reason that credit card processors and card associations don’t allow this is that when thing blow up and the vendors aren’t refunding the platform, and the platform implodes and is broke, the processor is left with the bill. And yes, this has happened many times in the past even to the level where processors have gone bankrupt as their exposure is even more lopsided than the platform we’re describing here.

So, how do Paypal and Square and 3rd party processors do this?

These companies are established and registered with the card associations solely for this purpose. These types of accounts typically require huge reserve accounts that exist solely to cover loses due to fraud. They also have extremely vigilant monitoring and restriction policies, which is why you’ll see almost every complaint against them is for holding funds. They also have very strict oversight and reporting requirements to the card associations. Implementing systems like these can cost million in registration and administrative fees, not to mention the millions that would be required to be held in the reserve account.

Here’s an unfortunate data breach that happened at a retail pizza restaurant. The business suffered a computer hack or some sort of data breach that resulted in customer’s credit cards being compromised and used fraudulently all over the world. The real shame is that PCI-DSS has been a Visa/MasterCard requirement for all businesses for nearly 4 years. I can empathize with this business but at this point there really no excuse for not taking PCI seriously. In a recent report from Verizon, they found that Restaurants were the most targeted business for hacking and data theft, with more than 50% of all attempts occurring. Thieves know that restaurants and small businesses are a great and very soft target and this isn’t likely to stop. At this point, there’s no excuse for not getting PCI compliant and not taking control over your data and business security.

MasterCard has alerted that some merchants have recently received fraudulent “MasterCard Security Alert” e-mail messages. These e-mails ask merchants to conduct payment card test transactions followed by a refund to a different payment card. These e-mails also instruct merchants to send the details of the transactions to an e-mail address not affiliated with MasterCard. This scam is being perpetrated by criminals in order to gain merchant transaction information so they can attempt to make fraudulent purchases and refunds using stolen payment card information.

If any business receives an unsolicited phone call, e-mail message, text message, or social media request from an individual claiming to be a MasterCard Security representative, do not to respond. Report the fraudulent inquiry to MasterCard using the following e-mail address: datasecurity@mastercard.com.

The Nurit 8020/8000 wireless terminals have become extremely prone to getting the Tamper Device error since VeriFone started manufacturing them and new security regulations were adopted. Tamper Device is an error caused by an internal security mechanism that wipes the terminal’s memory if someone is trying to physically break into the terminal. This protects the terminal’s PIN encryption and is a security requirement for all PIN entry devices. Unfortunately this error can be triggered on terminals that do not have PIN encryption enabled on the terminal.

When falsely triggered, Tamper Device is an annoying and time consuming error that typically requires reloading the terminal with new software and may even require the terminal to be sent back to VeriFone for repair which can cost upward of $100 each time. If the terminal was used for PIN entry, it would need to be returned to a processor for re-encryption as well.

One way to prevent Tamper Device errors from happening when the device is not being tampered with, is to keep the terminal plugged into an AC outlet when not in use. We’ve seen about a thousand cases of tamper device errors due to the battery running down, which triggers the terminal’s internal security mechanism. Seems ridiculous that this terminal would wipe itself just due to a low battery, but it does. Keep it plugged in when not in use.

Apart from this, the best way to prevent false tamper device errors is to handle the terminal carefully. You’d be surprised how often these terminals go through extreme conditions in hot and cold areas sitting in the back of a truck or van. Don’t drop it, freeze it, overheat it, spill anything on it, and generally treat it more delicately than you would a cell phone or other portable device.

There was a large data breach announced today by Visa and Mastercard. I think more than ever, this breach shows how dangerous the media is at blowing a story our of proportion before anyone actually know what the details are.

What is known…

Most likely a parking garage, or network of parking garages, suffered a data breach, most likely in the state of New York. Global Payments was most likely the processor for this business. That’s about it!

Here’s what the media shows:

Point being, that some publications like to blow the proportions of a story out of the water before there’s any fact to the story. Time will tell what has actually happened and it may be a very bad situation. But, the difference between 50,000 cards as reported in the Wall Street Journal, and 10,000,000 cards as reported in MSN’s red sheet, is incomparable.

And consumers and the government wonder why businesses don’t always come right out and tell everyone.