The Nurit 8020/8000 wireless terminals have become extremely prone to getting the Tamper Device error since VeriFone started manufacturing them and new security regulations were adopted. Tamper Device is an error caused by an internal security mechanism that wipes the terminal’s memory if someone is trying to physically break into the terminal. This protects the terminal’s PIN encryption and is a security requirement for all PIN entry devices. Unfortunately this error can be triggered on terminals that do not have PIN encryption enabled on the terminal.

When falsely triggered, Tamper Device is an annoying and time consuming error that typically requires reloading the terminal with new software and may even require the terminal to be sent back to VeriFone for repair which can cost upward of $100 each time. If the terminal was used for PIN entry, it would need to be returned to a processor for re-encryption as well.

One way to prevent Tamper Device errors from happening when the device is not being tampered with, is to keep the terminal plugged into an AC outlet when not in use. We’ve seen about a thousand cases of tamper device errors due to the battery running down, which triggers the terminal’s internal security mechanism. Seems ridiculous that this terminal would wipe itself just due to a low battery, but it does. Keep it plugged in when not in use.

Apart from this, the best way to prevent false tamper device errors is to handle the terminal carefully. You’d be surprised how often these terminals go through extreme conditions in hot and cold areas sitting in the back of a truck or van. Don’t drop it, freeze it, overheat it, spill anything on it, and generally treat it more delicately than you would a cell phone or other portable device.

There was a large data breach announced today by Visa and Mastercard. I think more than ever, this breach shows how dangerous the media is at blowing a story our of proportion before anyone actually know what the details are.

What is known…

Most likely a parking garage, or network of parking garages, suffered a data breach, most likely in the state of New York. Global Payments was most likely the processor for this business. That’s about it!

Here’s what the media shows:

Point being, that some publications like to blow the proportions of a story out of the water before there’s any fact to the story. Time will tell what has actually happened and it may be a very bad situation. But, the difference between 50,000 cards as reported in the Wall Street Journal, and 10,000,000 cards as reported in MSN’s red sheet, is incomparable.

And consumers and the government wonder why businesses don’t always come right out and tell everyone.

We recently partnered with a company, ShopKeep, to provide a point of sale (POS) program for iPad and Mac computers. It’s often a tough decision for a merchant to move up from a simple credit card terminal to a POS system as there can be significant costs and time in training and implementing a POS system. POS systems traditionally handle inventory and pricing in addition to acting as a businesses cash register. They are often locked into specific credit card processors that don’t always have good customer service or reasonable rates. The ShopKeep POS system is a great stepping stone for merchants that are looking to move up to an entry level POS system.

ShopKeep Overview:

ShopKeep POS is built to use an Apple iPad as the base computer for the system. It is essentially a web based software service that performs the normal functions of a point of sale system. From there a magnetic credit card reader is added in addition to a stand and a cash register for most merchants. This system tracks inventory and will support bar code readers, printers and a variety of other traditional POS requirements. Currently ShopKeep is only available to merchants located in the US and Canada.

Hardware:

The magnetic card reader is the Magtek idynamo or dynamag which are completely secure card readers that encrypt a transaction as the card is being swiped. Printers, bar code scanners, display stands, cash drawers, and other traditional peripherals can be added to an iPad allowing ShopKeep to replace most traditional POS systems.

Since ShopKeep is built using an iPad, it makes a very sleek, compact, and high tech looking POS system.

Software:

The ShopKeep software is easy to use and can be customized to fit a business’s specific requirements even with multiple locations. ShopKeep processes credit card transactions over the internet by connecting to a payment gateway. This facilitates near-instant processing times as long as an active internet connection is available. It also enables inventory and pricing to be controlled centrally if a merchant has more than 1 location. ShopKeep handles sales tax and tips and other common functions as it should.

Like most Apple software, and unlike many POS systems, the merchant interface is well thought out. Screens are clean, easy to read, and easy to advance or back out of. User priviledges can be controlled for greater security. Sales and inventory reports can be built, and customized down to individual inventory items. ShopKeep can export several file types into quickbooks accounting software. The software should meet the requirements of most small to medium size retail merchants.

If you’re in the market for an entry POS system, or you have an iPad that you would like to use for your processing take a look at the ShopKeep iPad POS System.

The Verifone Omni 3750 and 3740 are on the way out. I’ve received notice from several processors that they will not longer support the 3740 or 3750 after October 31st, 2012. Unlike many phase out’s, most that I have heard from will no longer allow these terminals to process at all. The replacements for the 3740 and 3750 are the Verifone VX510 and the slightly more advanced Verifone VX570. Both of these terminals are available in dial only or dual comm versions which include the ability to process securely over the internet.

If you are using a 3740 or 3750, it would be wise to see if your processor is going to continue support for it. Otherwise, start shopping for a new terminal before they cut yours off completely.

I’ll avoid stating why I think they’re doing this, cough… Durbin… cough, cough…., but starting in April 2012, Visa has added a new charge to all merchant accounts. These additional fees are fixed per month, and are based on a merchant’s business type and the number of location or volume they process.

In the mix, Visa is lowering their network acquirer processor fee from $0.0195 to $0.0155 per authorization. They are also adding a $.10 fee to some debit transactions that don’t meet certain processing criteria.

However, all businesses can expect to see the following changes.

For some businesses this may result in reduced fees but it’s likely that many businesses will see an increase in their monthly bill as a result of the FANF fee. MasterCard will be introducing new and similar fees as well starting in July. Stay tuned to see what those turn out to be.

I hate to say I told you so, but once again the Walmart’s and super retailers got their wish and the rest of the businesses out there end up with a higher cost. It’s unfortunate that organizations like the NRF don’t have the foresight to stop lobbying for super retailers at the expense of the businesses they supposedly represent. Thus far, the Walmart lawsuit a few years ago and the Durbin debit regulation have drastically increased the complexity and the costs to most merchants in the US.

In the thick of the IRS reporting madness, the IRS has formally made a statement with regard to the new IRS reporting rules.

In a letter to the National Federation of Independent Business, the IRS said Wednesday it would not require retailers and others to explain how and why their business income differs from their credit-card receipts, which Congress now is requiring card companies to report separately to the IRS.

“There will be no reconciliation required” for the 2012 tax year, “nor do we intend to require reconciliation in future years,” said a letter to NFIB from IRS Deputy Commissioner Steven Miller.

Processors have spend millions of dollars and hundreds of thousands of hours trying to meticulously match business information with what the IRS has on file. I’ve strongly opposed the bill since it was first written about 5 years ago. This is an example of a bill that should never have been passed in the first place. It wouldn’t have worked except in all but the most egregious cases of tax evasion and caused an inconceivable burden to processors and normal businesses in the US.

The IRS and US government should issue a formal apology for causing countless time and money to be wasted for just about every US business. My only hope is that this is the first step in completely retracting it.

The online retailer Zappos just had a data security breach where they lost 24 Million customer’s personal information records. This loss included names, addresses, email and phone numbers, encrypted passwords, but did not include credit card information.

No doubt that thoughtful security planning prevented the loss of credit card or financially sensitive information. However, it doesn’t really lessen the reality that the repercussions from the Zappos breach could be huge. Does data security go far enough if we accept that personal information is completely acceptable to be lost as long as financial information is not?

With the amount of personal information that was obtained in the Zappos breach, the thieves have a very lucrative marketing or hacking information package.

On the marketing side

Companies pay a lot of money for targeted marketing lists like the one that Zappos inadvertently provided. Let’s see, here’s a list of 24 million people that definitely buy things online, most likely shoes or clothing items, FIRE AWAY…

This information is a telemarketer or direct marketer’s dream, and they can target these known shoppers via phone, mail, and email.

On the hacking side

I can almost guarantee that Zappos customers are going to receive an onslaught of highly engineered spam, viruses, offers, and everything else to their emails. At the same time they are going to start getting physical spam, and scam offers, and probably are going to see telemarketing scams as well. There’s really no limit to how the information can be used for malicious purposes. Scam companies and hacking groups trying to install mallware and spyware are extremely efficient and proficient at developing well planned attacks on unsuspecting users. There are millions of computers called zombie computers because they are being used to send spam and other malicious activities without the knowledge of their owners. Expect some more.

As to the encrypted passwords. Websites typically use 1-way hashing mechanisms for password storage. This means that the password is encrypted, but cannot be decrypted by any reasonable means. The caveat to this is that if the hacker knows how the password was hashed, they can create a huge list of hashes and compare them to find the original. This is a very targeted attack, but with 24 million passwords it’s worth a lot of effort. They will begin finding real password very quickly if they discover the hashing mechanism. Since many users do not use unique passwords between websites, the direct loss from being able to log into user’s bank accounts, or other websites will be significant. I always recommend using a unique password with every site you log into, and use a password manager like roboform.

The reality

The reality of this situation is that Zappos is owned by Amazon.com. I can guarantee that Zappos has some stout security in place, and yet one of the largest, most tech oriented companies on earth, just had a data loss of 24 million records. This tells me that that standards we have in place for protecting data, especially non-sensitive data, are not enough. We should not just be protecting financially sensitive data, but all customer data. Sure there may be no direct cost in replacing bank cards, or obtaining new bank account numbers, stopping checks, or posting chargebacks, but the effect to the customer when you lose their data can be remarkable. We’ve yet to see the actual damages that this breach causes, but with the sheer amount of information out there, there could be substantial damages.

In case you haven’t been paying attention to the US political landscape, there is currently a bill in progress dubbed the great American firewall. It is a thoughtless overreaching nightmare’ish bill that claims to be for preventing copyright infringement.

Please read up and understand the implications of what this bill will do. There has never been a more 1984esque bill to be taken up by both houses of congress. It is absolutely ridiculous that our country would go this far just to help the massive media corporations under the veil that they are doing it for the good of the people. While supportable in concept, this is one of those “the road to hell was paved with good intentions” bills in what it will actually do.

Please contact your congress person and oppose this bill.

By now, the majority of merchants in the US have been informed of some impending IRS reporting requirements for their merchant account. I blogged about this congressional mandate several years ago and since we’re finally past the day of reckoning, let’s revisit how this is exactly going to affect your merchant account and your business.

An Overview

Some time back, the IRS decided that they wanted to see a report of all the money that a merchant processes through their merchant account over the year.

While this is a nearly useless number because as we all know, most businesses also accept cash, checks, and other currency, it will in theory catch the most egregious tax evading businesses. Basically, the few fractions of a percent of businesses that grossly cheat on their tax returns “could” get caught. Regardless of the absurdity of requiring the entire country disclose their processing volumes, here we are…

Now for this to work, your processor has to file a 1099 form with the IRS. This is a seemingly simple task. However, for this to actually work, your business information with your processor must exactly match what the IRS has on file. This includes business name, address, your tax id, etc. Things as simple as capitalized letters, a single space, and punctuation will cause a mismatch. You get a new tax id after opening up a merchant account. You signed your application with only your SSN and not your tax id number. Things like this will cause errors. Since it’s rare that merchants fill out their merchant applications with the exact same business information, with the exact same capitalization, and spaces as they do when they fill out their tax information, and nothing changes with their business-IRS relationship, it’s fair to say a lot of tax reporting information will not be valid.

So, what if the tax information is not valid?

So, here comes the nasty part. The IRS mandates that your processor will withhold 28% of all credit card payments until the errors are corrected. Yes, 28% of all of your credit card sales with be held until you fix whatever information is incorrect. And, even if you fix the problem, you wont get that 28% back until the end of the year.

More fees

Most likely you have or will receive notice that you are going to be charged for the work required to verify and prepare this massive undertaking. I’ve seen everything from several hundred $ per year, to a few $ per month. The reason you are being charged this fee is that it actually requires a lot of work to verify and prepare one of these documents for a merchant. Processors often have thousands, or tens of thousands of merchants, which translates into thousands of man hours in just the initial verification, not even taking into account contacting every merchant that has errors to obtain the correct information. If you didn’t authorize e-file for your 1099, your processor needs to mail you a physical form.

Exceptions

The exceptions to the filing requirements are:

1. a merchant’s total payment transactions for the year does not exceed $20,000, and
1. the total number of transactions does not exceed 200

In which case your processor will not need to file a report. This may consist of a good percentage of businesses out there, but most full-time businesses process more than $20,000 per year.

Conclusion

It’s unfortunate that the reporting regulation was ever passed. It’s a useless piece of legislation that creates a lot more work for small businesses and it’s unlikely that the reporting will catch any but the worst tax offenders. But, it’s passed and taking effect and there’s not much any of us can do about it at this point. No matter who you process credit cards with, keep a close eye on the mail and your processing statements for instructions on how to verify your information. My recommendation is to take it very seriously to avoid the 28% withholding.

First off, I wish everyone a great 4th of July weekend. Banks will be closed on Monday and it looks like most people are starting their weekend today anyway. Be safe this weekend and be very careful with fireworks if you live in one of the drought stricken areas like myself.

The past month has brought monumental changes to the payment processing industry.

Mobile frenzy

Mobile payments seem to be on the fast track with just about every tech related company steaming ahead at trying to be the first with a workable and widely adopted mobile payment method. Even Google has jumped in, despite Paypal’s arguments, and hopes to be a major player in mobile payments. If the Google Checkout service is any indicator of Google’s success in mobile payments, they simply aren’t going to make it. However, with their success in the mobile android operating system, and their already massive relationship with businesses, Google may have a chance at something.

Debit Interchange Regulation

The biggest news of the month, is the regulation of debit interchange. After fierce battling for more than a year, debit interchange is to be regulated to $.21 per transaction and .05% per transaction. As written, this applies to all debit card transactions, PIN or signature as well as Ecommerce/MOTO transactions. It’s not entirely clear when and how this will take effect but stay tuned over the next months.

The biggest winners in this regulation are once again the super retailers who process millions of transactions per year. Small and medium size merchants can expect savings, but it will not likely be anything as monumental as the Walmart’s and Amazon.com’s out there. There’s going to be a lot of misinformation flying and aggressive marketing over the next year as many processors will take advantage of the turmoil, misinformation, and instability in the merchant account industry. I would strongly suggest exercising caution in anyone making sensational claims about lowering your rates. Major industry changes offer the greatest opportunity to get scammed into a bad merchant account. Just remember that almost every processor has roughly the same hard costs, so if they are unrealistically lowering fees in one place, they have to make them up somewhere else.

Expect major checking account changes

As a result of banks losing roughly 50% of their revenue from debit cards, we should all expect drastic changes to our personal and business checking accounts over the next year. I know that all of my business and personal debit rewards have been canceled over the past 3 months. I think that debit rewards are the tip of the iceberg, and we should expect changes in debit and checking account fees and overall debit availability over the coming months. Some smaller banks have rumored that they will be dropping debit cards completely, so it will be interesting to see where this all ends up a year from now.

It’s a mute point to argue my position on the interchange regulation at this time. Retailers may be chocking this up as a victory, but don’t start celebrating yet. This regulation may seem like a small amount. Personally I think this regulation will change the way we do banking in the US, and could very well effect the entire retail economy, not necessarily in a good way. The next few years will give us a better picture of what these regulation have done to the retail industries and checking accounts.