An Overview

Some time back, the IRS decided that they wanted to see a report of all the money that a merchant processes through their merchant account over the year.

While this is a nearly useless number because as we all know, most businesses also accept cash, checks, and other currency, it will in theory catch the most egregious tax evading businesses. Basically, the few fractions of a percent of businesses that grossly cheat on their tax returns “could” get caught. Regardless of the absurdity of requiring the entire country disclose their processing volumes, here we are…

Now for this to work, your processor has to file a 1099 form with the IRS. This is a seemingly simple task. However, for this to actually work, your business information with your processor must exactly match what the IRS has on file. This includes business name, address, your tax id, etc. Things as simple as capitalized letters, a single space, and punctuation will cause a mismatch. You get a new tax id after opening up a merchant account. You signed your application with only your SSN and not your tax id number. Things like this will cause errors. Since it’s rare that merchants fill out their merchant applications with the exact same business information, with the exact same capitalization, and spaces as they do when they fill out their tax information, and nothing changes with their business-IRS relationship, it’s fair to say a lot of tax reporting information will not be valid.

So, what if the tax information is not valid?

So, here comes the nasty part. The IRS mandates that your processor will withhold 28% of all credit card payments until the errors are corrected. Yes, 28% of all of your credit card sales with be held until you fix whatever information is incorrect. And, even if you fix the problem, you wont get that 28% back until the end of the year.

More fees

Most likely you have or will receive notice that you are going to be charged for the work required to verify and prepare this massive undertaking. I’ve seen everything from several hundred $ per year, to a few $ per month. The reason you are being charged this fee is that it actually requires a lot of work to verify and prepare one of these documents for a merchant. Processors often have thousands, or tens of thousands of merchants, which translates into thousands of man hours in just the initial verification, not even taking into account contacting every merchant that has errors to obtain the correct information. If you didn’t authorize e-file for your 1099, your processor needs to mail you a physical form.

Exceptions

The exceptions to the filing requirements are:

1. a merchant’s total payment transactions for the year does not exceed $20,000, and
1. the total number of transactions does not exceed 200

In which case your processor will not need to file a report. This may consist of a good percentage of businesses out there, but most full-time businesses process more than $20,000 per year.

Conclusion

It’s unfortunate that the reporting regulation was ever passed. It’s a useless piece of legislation that creates a lot more work for small businesses and it’s unlikely that the reporting will catch any but the worst tax offenders. But, it’s passed and taking effect and there’s not much any of us can do about it at this point. No matter who you process credit cards with, keep a close eye on the mail and your processing statements for instructions on how to verify your information. My recommendation is to take it very seriously to avoid the 28% withholding.

The past month has brought monumental changes to the payment processing industry.

Mobile frenzy

Mobile payments seem to be on the fast track with just about every tech related company steaming ahead at trying to be the first with a workable and widely adopted mobile payment method. Even Google has jumped in, despite Paypal’s arguments, and hopes to be a major player in mobile payments. If the Google Checkout service is any indicator of Google’s success in mobile payments, they simply aren’t going to make it. However, with their success in the mobile android operating system, and their already massive relationship with businesses, Google may have a chance at something.

Debit Interchange Regulation

The biggest news of the month, is the regulation of debit interchange. After fierce battling for more than a year, debit interchange is to be regulated to $.21 per transaction and .05% per transaction. As written, this applies to all debit card transactions, PIN or signature as well as Ecommerce/MOTO transactions. It’s not entirely clear when and how this will take effect but stay tuned over the next months.

The biggest winners in this regulation are once again the super retailers who process millions of transactions per year. Small and medium size merchants can expect savings, but it will not likely be anything as monumental as the Walmart’s and Amazon.com’s out there. There’s going to be a lot of misinformation flying and aggressive marketing over the next year as many processors will take advantage of the turmoil, misinformation, and instability in the merchant account industry. I would strongly suggest exercising caution in anyone making sensational claims about lowering your rates. Major industry changes offer the greatest opportunity to get scammed into a bad merchant account. Just remember that almost every processor has roughly the same hard costs, so if they are unrealistically lowering fees in one place, they have to make them up somewhere else.

Expect major checking account changes

As a result of banks losing roughly 50% of their revenue from debit cards, we should all expect drastic changes to our personal and business checking accounts over the next year. I know that all of my business and personal debit rewards have been canceled over the past 3 months. I think that debit rewards are the tip of the iceberg, and we should expect changes in debit and checking account fees and overall debit availability over the coming months. Some smaller banks have rumored that they will be dropping debit cards completely, so it will be interesting to see where this all ends up a year from now.

It’s a mute point to argue my position on the interchange regulation at this time. Retailers may be chocking this up as a victory, but don’t start celebrating yet. This regulation may seem like a small amount. Personally I think this regulation will change the way we do banking in the US, and could very well effect the entire retail economy, not necessarily in a good way. The next few years will give us a better picture of what these regulation have done to the retail industries and checking accounts.

This is in response to the $.12 debit card interchange regulation battle that is waging between banks and retailers. I will refrain from commenting on the debit card regulation at this point. I’ve made my views and concerns known to the federal reserve board. What I will end with is that the entire debit and credit regulation concept is far more complicated that many would like to believe. It cannot be simply capped without major repercussions perhaps large enough to hurt the entire US and world economies. Something as important as this should not be attached to major bills and should be voted on separately as this specific regulation was not.

Verifone just acquired Hypercom corporation. This effectively removes all legitimate competition from the US credit card terminal market. Verifone’s own products have suffered a decline in reliability and quality starting 5 or 6 years ago, so naturally Verifone began purchasing competitors. They started with wireless leader Lipman, and then acquired Way Systems, and now have taken down the last barrier, Hypercom. Verifone stated that this acquisition was to expand their presence in the European market, but make no mistake it removed their last competition from the US market completely.

I don’t want to forget Ingenico whom is one of the worlds largest terminal manufacturers, however they are a mere drop in the bucket in the US and sell almost exclusively to large chains and direct placement deals that normal mom and pop merchants will never see.

I’m personally appalled that the government allowed this transaction to take place. On the bright side, if Verifone cannot produce a higher quality product, there’s several smaller manufacturers that are already gaining serious ground, most notably Dejavoo, ready to replace Hypercom. This will provide the perfect avenue for Dejavoo and others to become much larger terminal brands (until Verifone purchases them of course). Dejavoo’s product is far superior to Verifone or Hypercom and is cheaper than either.

I’m seriously holding back words on writing this. The impact of this on the credit card terminal industry would be comparable to Walmart purchasing Target or Microsoft purchasing Apple. This sort of acquisition is the reason that anti-trust laws exist. It’s unfortunate that the government’s priorities are so far removed from the B2B industries of the country.

I read a great article about Durbin’s amendment in which I found out that free checking accounts were virtually non-existent before the invention of signature (or offline) debit. Signature debit is where a merchant processes a debit card like a credit card without requiring a PIN number. With the invention of signature debit, banks had a steady source of income from debit interchange that was directly attached to their customer’s bank accounts. With this additional income, came the invention of the free checking account. Right now most consumers and small businesses use free checking accounts, which are partially subsidized by fees the bank receives from signature debit interchange. These fees also help pay for chargeback investigations, and help pay for account features that you would have had to pay for before there were free checking accounts.

Now that congress is capping debit interchange, we can expect changes with regard to free checking account practices. Since these accounts can no longer be subsidized by signature debit interchange, banks are going to have create monthly fees for checking accounts. Chargeback investigations also cost banks huge amounts, so we can expect further fees will be charged to cover the additional costs for these. Right now, BOFA and others have announced that they plan on charging fees for checking accounts once the new regulations go into effect. Goodbye, free checking…

What I think is the biggest flaw to the debit regulation, and of much greater significance in the overall picture, is the double standard that congress has proposed. The law limits the amount banks can charge for debit interchange. At the same time, it exempts financial institutions with less than $10B in assets in attempt to help these smaller institutions out, but at the same time allows merchant to discriminate against types of payment at their discretion. A thoughtful move, but because of the second part it will have a near 100% opposite effect than planned.

Merchants will now inherently be more inclined to, and be allowed to, accept debit cards with the lower rates, which will be the big bank’s cards! Instead of helping credit unions and small banks, congress instead created the perfect avenue to put them out of the debit card picture. While it’s unrealistic to assume that the smaller banks will not be issuing debit cards at all, it is completely reasonable to assume that retailers (especially the large ones) will favor and may only accept cards from large banks that they pay less for. We’ll start seeing signs like only Bank of America debit cards are accepted here, and congress not only made it completely legal for merchants to do this, but they created the system to facilitate it!

With one swipe the future shows the end of free checking accounts, and the end of credit union’s issuing their own debit cards.

I’ll readily admit that I am partial when it comes to regulation of my industry, but how could congress have created something so blatantly damaging to credit unions and small banks in the US. As soon as the credit unions learned about the details of the rules , they began lobbying. However, the wording and details were published after the rules were passed, so to stop it now is more a prayer than anything else. It doesn’t take an expert to know that large retailers follow the savings, just like consumers…

More than any resource I’ve seen before it, this paper gives a clear and easy to understand description of the current state of electronic crime.

Merchants do not have protection from liabilities if they take the steps to become compliant!

Now before QSA’s light their torches, let me just say that I completely understand and agree that PCI Compliance ≠ Security. Nevertheless, from a business perspective it’s hard to take a program like this seriously when there is no real benefit from becoming compliant. One can always argue that security is a benefit, but in reality it’s not unless you actually prevent a data loss with it, and there’s no measurable monetary benefit of something that you don’t know was prevented.

I do have a strong belief, which I think is further illustrated by the slow adoption rates of level 3 and level 4 merchants, that most merchants don’t take PCI seriously. Losing customer data is nothing to be joking about, but they way PCI has been implemented with liability dumped on merchants and processors, and the fact that compliant businesses get no protection over non-compliant ones, is laughable. Independent of the PCI Council which they helped start, MasterCard now requires security scans for all merchants even if they don’t process on the Internet or over an IP connection. How can PCI possibly be taken seriously if the founding companies create independent standards after they start an organization specifically to make sure they all have the same standards?

So what’s the big news?

Washington state just passed a law (HB 1149 ^pdf) that effectively legitimizes PCI, or at least legitimizes much of the cost in becoming compliant. What this law will do is grant a merchant safe harbor from liabilities resulting from a data breach, provided that the merchant was PCI compliant when the breach occurred. It also states that the breached organization’s compliance cannot be revoked as a result of a breach. Basically, if you were compliant at the time of the breach, you are still compliant after the breach. This sort of retroactive revocation of PCI compliance has occurred in several major breaches. From my observation, this law is the first breath of reason that I have seen pushed towards PCI compliance.

Business owners (at least in Washington) can look at PCI and assume, if we become secure and become PCI compliant, we’re no longer as-liable if some extraordinary circumstance results in us losing data. The proactive response is: let’s get this taken care of, lets make sure that our data is secure, and let’s get compliant!

Currently that same business owner is checking [YES] to all the boxes and emailing in their questionnaire. They’re asking, so it doesn’t matter if I’m PCI compliant, I’m still fully liable for any costs and damages if someone steals my data? Hmm… [YES] to all… DONE!

The pitfalls

With legislation like this there are pitfalls, and probably some big ones.

First off, the law states that merchants must be validated compliant within 1 year of the breach occurring. 1 year is far too long for a business that was compliant to be assumed to be still compliant. Additionally, this doesn’t address the fact that the business could quite easily take steps to actually become secure, but intentionally remove them for operations sake once they pass a security scan or self assessment.

Second, the law is only for Washington which makes it worthless in all practicality. However, the fact that one state is passing it may push Visa/MC/AMex/Disc to look at adding real protection to PCI.

Third, the law doesn’t address actual costs to consumers such as fees from bounced checks or other bank and credit associated fees. Merchant’s would most likely still be liable for many of these fees (assuming that there are some) if they suffered a breach.

Lastly, the law would justify costs for becoming compliant, but could put huge costs on someone else (and it’s unclear who). If the merchant does suffer a sizable breach, it’s clear that there are real costs in re-issuing cards. What’s not clear is who would end up paying for them if this law is passed.

Meaningless?

Until this law is adopted by the issuers or put into effect on a national level, the benefits from it on a widespread scale, are going to be little to none. I’m openly against government regulation in any industry, yours or mine, so I do hope that card issuers and PCI security council take a serious look into adopting similar measures directly into PCI. I think that providing some sort of protection like this would greatly legitimize PCI especially in the minds of the business owners that are forced to become compliant and feel that PCI does not give them any benefit. It’s time for PCI to give small business owners a real reason to become secure and to become PCI compliant. A measure like this law is that reason!

Blippy is a service that allows people to share and discus, the purchases that they are making in near real-time. Basically, every time a Blippy user makes a purchase using their credit card, it shows up on Blippy. A little bit like twitter, a user can also embed their blippy feed on their blog, facebook profile, other social network, or website, and their followers can track and discuss every purchase that they make. For this to work smoothly, Blippy obviously needs to store and access some very sensitive information.

This data breach looks like it was extremely small, completely insignificant for realistic purposes, but I think it brings up some very strong points that should question card issuers stance on protecting their card holders.

The reason that Visa and MasterCard should provide some sort of protection for merchants, is that if card holders are stupid enough to share their credit card and bank login information with a social networking site such as Blippy, there’s really no reason that they should be continue to be protected at the expense of merchants. It’s simply absurd to think that merchants should bear the cost of people so ignorant that they would give their banking information out to some random website. “Social networking” and “security” are 2 terms as synonymous as fire and water.

One could always argue that Blippy should have kept the information more secure, which is obvious, but the real problem here is that credit cards are not meant to be used in this manner. It’s just baffling to me that someone would actually enter their card or bank login into any site that they do not have a close relationship with, or are making a purchase from. Then to expect their bank to cover them from unauthorized charges, is just beyond any reason. It’s reckless on Blippy’s part to make a service based on and requiring such sensitive information, and it’s even more reckless for card holders to share this information.

A quick example of the absurdity of this service is a line in Blippy’s terms of service:

Privacy: You may not publish or post other people’s private and confidential information, such as credit card numbers, street address or Social Security/National Identity numbers, without their express authorization and permission.

Hey, but Blippy can publish yours…

To me, this service is clearly crossing the line where credit cards were not mean to and should not go until major modifications to security and merchant protection are established!

To top it all off, Blippy issued this statement on their blog:

In general, it’s important to remember that you’re never responsible if someone uses your credit card without your permission.

As a merchant and a merchant service provider, I don’t want to end up taking a stolen card because a card holder decided to hand out their banking information to a social networking site, who thinks that chargeback expenses are somehow covered by a magical chargeback fairy. It’s the merchant that accepted the card who eats the cost of your poor programming, and complete lack of data security. I think Visa and MasterCard need to step in right now and quash this type of service, and specifically Blippy. It’s really simple, as Blippy is not involved in any part of a credit card transaction, they have no right to a card holder’s transaction information.

Blippy has issued resolutions to prevent this from happening again, but realistically their service should be canned now! My hat goes out to anyone who can get a $12M investment in a service that lets people share their purchases with the world, but it’s time that this is stopped before it gets out of hand.

It all started around the 1st of February.

All payments sent from personal Indian accounts are reversed. This would basically be like accepting a credit card, and 5 days later (long after the merchandise or service has been performed) that money is given back to the customer!

When reversed, there are several immediate reactions. First off, it is confusing to anyone who sent a payment and had it returned a few days later. It is more confusing and upsetting to the business that accepted that payment as they are now without the money and without the service or product that was paid for. Additionally, this unbalances the accounts of thousands and possibly millions of account holders, not just in India. Many of these recipient account holders made payments to other businesses. When the original amount was reversed and subtracted from their account, any recipient account lost money, and many Paypal accounts went negative. Some people got paid, while others lost the money. Paypal was also blocking any withdrawals to an Indian bank account, so even if a business did manage to get paid, there was no way for them to take the money out of Paypal.

As usual Paypal was completely mum about the actual details of the events of what was happening, further compounding the frustration and confusion that was sweeping Indian paypal account holders and those who received a payment from an Indian account. On February 5th, I had speculated that there was some government intervention going on, as the scope and damage that these events were causing were absolutely massive. Even at this point an Indian Paypal user could send money, and at first would seem successful, but would be returned several days later.

On the 6th of February, with Paypal users continuing to panic still trying to send money, Paypal finally publicly announced that there was a problem with personal payments.

I’m writing to let you know that personal payments to and from India and transfers to local banks in India have been suspended while we work with our business partners and other stakeholders to address questions they have about the service.

While this was an unacceptably vague response to the seemingly massive situation that was unfolding, it was nevertheless some response.

More problems…

About a day later, a second problem had been discovered with many Paypal accounts. After being refunded, many Paypal users noticed that foreign exchange fees had never been refunded. Thousands of Indian freelancers, Indian businesses, and worldwide businesses who accept payments from Indian account holders are getting more upset and confused. Although Indian payments only make up a small portion of Paypal payments, it’s clear that there is a major problem affecting far more people and businesses than just Personal Indian account holders. Now there’s money, paypal fees, and separate foreign exchange fees lost in millions of payments and refunds, a true accounting nightmare.

Everyone knows there is a problem, but nobody knows what it is and Paypal won’t say a word.

On February 10th the truth finally comes out.

1. Why did you suspend local bank transfers and personal payments to and from India?

We temporarily suspended these services to respond to enquiries from the Indian regulators, specifically questions on whether personal payments constitute remittances into India.

We’re working with the regulators and our bank processing partners in India to get this resolved as quickly as we can. We realize that this is causing considerable inconvenience to our customers and I want to reassure you that this is a top priority for the leadership at PayPal

2. When will personal payments be turned back on?

The regulators recently let PayPal know about revised licensing rules that we are now actively engaged in securing. Personal payments to and from India will be suspended for at least a few months until we fully resolve the questions from the Indian regulators.

3. When will local bank withdrawals be available?

Customers should be able to withdraw their funds to a local bank within the next few days. In the meantime, we’re going to restore the money into the PayPal accounts of any customers in India who have initiated a recent withdrawal, so they know that the money is safe in their accounts. Customers will also be reimbursed for any withdrawal fee charges.

4.The PayPal reversal has left me with a negative balance. What shall I do?

If you bought something or transferred money out of your PayPal account to your bank account before we reversed the payment then you may be left with a negative balance.

If this was a payment for a purchase of goods or services, you should contact the sender and have him or her resend the payment as follows:

(a) click the Send Money tab, and

(b) select “purchase.”

If this was a personal payment, then the sender will need to find another payment method until we restore the service. We’re sorry about this.

If you can’t recover the funds from the sender, you can bring your PayPal balance current by logging in to the PayPal account and clicking the “Resolve Negative Balance” link on the Account Overview page.

5. My payment was reversed but it was not a personal payment. What happened?

Only personal payments should have been reversed. Customers who believe that their payments were reversed in error should request that the payment be sent again by following the steps above (click the Send Money tab and select “purchase.”)

The Reserve Bank of India (RBI) put a halt to all Paypal payments when they finally realized that Paypal was a acting as a cross border money transfer system due to a law passed in 2008, “Providers of cross-border money transfer service need prior authorization from the Reserve Bank under the Payment and Settlement Systems Act,”. The reasoning behind the law is that many cross-border transactions are considered remittances, which fall under additional regulation by the RBI.

At this point, Indian Paypal account holders cannot send or receive money through paypal, and even many Business account holders cannot withdraw into their Indian bank account. Paypal has indicated that it may takes months before payments get back on track in India, leaving very few payment options for freelancers and many businesses in India’s rappidly growing IT services industry.

What strikes me as simply baffling is how it took 2 years for the Indian government to realize that Paypal users in their country could transfer money to and from Paypal users in other countries, and why they would tackle this situation is such a disruptive manner. Seriously, Paypal has been in India for several years and nobody bothered to consider that the fastest growing payment mechanism in India might fall under this new law when it was being drafted?

Equally baffling is why Paypal didn’t completely suspend Payments when they were given the request on January 27th. Instead they reversed thousands of transactions that had already been submitted, allowed these recipients to forward the money they received as payments to other businesses. They also continued to allow transactions to be sent until after the 7th, 10 days after they stated that transactions had been halted.

The combination of gross under-sight by India’s financial regulatory systems, and Paypal’s gross negligence in adequately responding to a major operational casualty, caused one of the larger payment system implosions that we’ve seen. Most of the ancillary damage was completely avoidable, had Paypal responded immediately and adequately to RBI’s request. While I’m sure that Paypal will pull through unscathed as they have so many times before, I do believe that their position in the Indian payments market will be scarred for a long time.

Authorize.net is currently the largest payment gateway in the world. This is affecting millions of websites right now. To my knowledge this is the first major outage since the DDOS attack they suffered several years ago.

A casualty of this magnitude has the ability to permanently damage / destroy this company’s trust and reputation.