The IRS 6050W mandate passed in 2008 requires credit card processors to report merchant processing revenue to the IRS for each year of active processing. The IRS essentially thinks business owners are cheating on their taxes and are using credit card processors to try and identify egregious tax dodgers. Merchants with tax related information that is incorrect when their processors files a 1099-K will be subject to having funds held by their credit card processor. Last year, we were given a bye and didn’t have to hold merchant funds for those merchants with incorrect TIN information. This year appears to be different and processors will be holding funds per IRS regulations. We’ve already seen numerous cases where Amex was forced to put a hold on merchant’s funds.

You may have recently received notice from your credit card processor of your TIN or corporate name mismatching, or simply a notice to verify your processor has the correct TIN/EIN number and corporate name on file for your business. Do not ignore these notices!

It is extremely important to make sure this information is up to date and is correct with your processor. Incorrect TIN information can result in your processor being forced to hold the money being processed through your merchant account. American Express is a separate entity and you need to make sure that your TIN information is correct with American Express separately from your merchant account.

To update this information, you will be required to provide your credit card processor or American Express with an accurate W9 form. Completing this form properly is critical to preventing a TIN mismatch. This form must be filled out with the exact information you used to register your TIN with the IRS which is also the same information required when filing your taxes. A single misplaced letter or punctuation, the incorrect type of business, or an incorrect TIN will cause a mismatch. The IRS doesn’t have an adequate system for your processor to verify this information, or lookup the correct information, so it is up to you to make sure it is accurate. If you don’t know the TIN or the exact name you established your TIN under, you can contact the IRS to get the correct information.

Make sure this information is correct with your processor and with American Express to avoid having your money held.

A result of the recent card association / merchant settlement is that merchants may now place a surcharge on their credit transactions. We’ve already been getting a lot of phone calls about this, so let’s go over a few of the basics. You should also review Visa’s official information on surcharging for the in-depth details.

If you live in California, Colorado, Connecticut, Florida, Kansas, Maine, Massachusetts, New York, Oklahoma, or Texas forget about it. It is illegal in your state to add any surcharge on a credit transaction and state laws always trump operating regulations facilitated by private entities.

If you live in one of the other 40 states, you may be able to surcharge beginning January 27th, 2013.

In a nutshell, here’s what’s going to happen. Make sure you check with Visa’s and other association websites before adding a surcharge to ensure you are complying with all of the implemented rules and regulations.

• Notify Visa and your acquirer at least 30 days in advance of beginning to surcharge.
• Limit surcharging to credit cards only (no surcharging debit and prepaid cards) and limit the amount to your merchant discount rate for the applicable credit card surcharged.
• Disclose the surcharge as a merchant fee and clearly alert consumers to the practice at the point of sale – both in store and online – and on every receipt.

Remember, you cannot surcharge a debit card no matter how it is processed. You cannot surcharge if you accept American Express or Paypal. You cannot charge a prepaid card no matter how it is processed. You cannot under any circumstance charge more than you are paying to accept that specific card. There are specific rate limits listed on Visa’s website.

Although this may seem like a beneficial and obvious solution to some merchants, I strongly urge you to take a good look before implementing a surcharge. Shifting a cost like this is not going to fare well with many customers. I would personally not make a decision like this lightly. If you do decide that you want to surcharge, make sure you have a plan to test and back out if necessary. As proven in Australia, surcharging credit transactions has the potential to drastically alter payment preferences and will often upset a customer no matter how the surcharge is presented. In the world of social media, surcharging has the potential to generate a lot of bad publicity, very quickly, if you upset the wrong customer base.

Lastly, don’t be surprised if this change in regulation is retracted in the future. Consumers drive commerce in the US and they certainly will have their shot at overturning surcharging if they feel that it is unfair.

We’ve been speculating since Square got started that it would quickly infiltrate illegal markets. Partnered with prepaid debit cards, it offers an almost 100% anonymous method of accepting credit cards.

While reading some actual stories of drugs being purchased via debit card through a square reader, I went and did some searching on Google. To my surprise, not only are there multiple articles and instruction on how to accept debit cards for illegal sales, but Square is actually advertising for drug dealer related search terms. What a nice company.

Here’s a daily scenario that I come across. A website owner / entrepreneur / service provider / auction site / startup / etc., wants to create their awesome online platform that will allow vendors to sell and customers to buy, and they simply want a small percentage of the transaction. There are about a million different ways to describe this, but in the end the result is the same, the vendor gets payment, the site operator takes a small percentage, and the customer gets their product or service.

Now on the surface this is a completely rational credit card processing setup that many businesses could benefit from. In reality, processing like this is an extremely risky method that can and often does result in substantial losses for the party running the platform and the credit card processor. Let’s run through why these scenarios often don’t work and are prohibited by every normal payment processor out there. The technical term for this is called aggregating, and coincidentally it is exactly what Paypal, Square, and other 3rd party payment processors do.

In these scenarios we have 3 parties, the customer making the final purchase, the vendor who is selling their product or service, and the platform that is providing the mechanism or bridge between the vendor and the customer. This could be a anything from a commission based shopping site, an event coordinator, an action house or website, or any number of business ideas where a middle party provides the connection and mechanism between vendor and customer, but doesn’t actually provide the service themselves. The idea is that the platform seamlessly collects the payment from the customer and then pays the vendor after taking their small percentage fee for the service. Since they have a number of vendors using their service, they typically want to setup one merchant account to accepts payments with and use their own internal accounting to handle the proper payments.

Chargebacks…

What this creates is a major liability vacuum where the party that receives the majority of the payment, is not the party that is contractually responsible to the customer’s bank. When the customer decides they didn’t like the service and they make a chargeback, the platform loses the money and then must go back to the vendor to get reimbursed for their customer’s chargeback.

Just to illustrate how much risk  and exposure the platform takes on this, let’s just say the platform charges the vendor an arbitrary 5% per sale in fees and commission. At 5%, the platform is taking 2,000% exposure on every dollar they earn through their system, without taking processing fees into consideration. To be redundant, for every $1 in revenue the platform keeps, they have $20 in liability for at least 180 days.  Even at 10% in fees, they are exposed 1,000% on the dollar. The vendor ends up with 95% or 90% of the amount payed, while the platform still holds the liability for the entire 100%. This problem is further compounded when you consider that a card holder has 180 days from the date of the transaction to file a chargeback with their issuer. The bigger picture presents potential liability and challenges that far exceed what most businesses could ever accurately plan for. The reason that credit card processors and card associations don’t allow this is that when thing blow up and the vendors aren’t refunding the platform, and the platform implodes and is broke, the processor is left with the bill. And yes, this has happened many times in the past even to the level where processors have gone bankrupt as their exposure is even more lopsided than the platform we’re describing here.

So, how do Paypal and Square and 3rd party processors do this?

These companies are established and registered with the card associations solely for this purpose. These types of accounts typically require huge reserve accounts that exist solely to cover loses due to fraud. They also have extremely vigilant monitoring and restriction policies, which is why you’ll see almost every complaint against them is for holding funds. They also have very strict oversight and reporting requirements to the card associations. Implementing systems like these can cost million in registration and administrative fees, not to mention the millions that would be required to be held in the reserve account.

Here’s an unfortunate data breach that happened at a retail pizza restaurant. The business suffered a computer hack or some sort of data breach that resulted in customer’s credit cards being compromised and used fraudulently all over the world. The real shame is that PCI-DSS has been a Visa/MasterCard requirement for all businesses for nearly 4 years. I can empathize with this business but at this point there really no excuse for not taking PCI seriously. In a recent report from Verizon, they found that Restaurants were the most targeted business for hacking and data theft, with more than 50% of all attempts occurring. Thieves know that restaurants and small businesses are a great and very soft target and this isn’t likely to stop. At this point, there’s no excuse for not getting PCI compliant and not taking control over your data and business security.

MasterCard has alerted that some merchants have recently received fraudulent “MasterCard Security Alert” e-mail messages. These e-mails ask merchants to conduct payment card test transactions followed by a refund to a different payment card. These e-mails also instruct merchants to send the details of the transactions to an e-mail address not affiliated with MasterCard. This scam is being perpetrated by criminals in order to gain merchant transaction information so they can attempt to make fraudulent purchases and refunds using stolen payment card information.

If any business receives an unsolicited phone call, e-mail message, text message, or social media request from an individual claiming to be a MasterCard Security representative, do not to respond. Report the fraudulent inquiry to MasterCard using the following e-mail address: datasecurity@mastercard.com.

The Nurit 8020/8000 wireless terminals have become extremely prone to getting the Tamper Device error since VeriFone started manufacturing them and new security regulations were adopted. Tamper Device is an error caused by an internal security mechanism that wipes the terminal’s memory if someone is trying to physically break into the terminal. This protects the terminal’s PIN encryption and is a security requirement for all PIN entry devices. Unfortunately this error can be triggered on terminals that do not have PIN encryption enabled on the terminal.

When falsely triggered, Tamper Device is an annoying and time consuming error that typically requires reloading the terminal with new software and may even require the terminal to be sent back to VeriFone for repair which can cost upward of $100 each time. If the terminal was used for PIN entry, it would need to be returned to a processor for re-encryption as well.

One way to prevent Tamper Device errors from happening when the device is not being tampered with, is to keep the terminal plugged into an AC outlet when not in use. We’ve seen about a thousand cases of tamper device errors due to the battery running down, which triggers the terminal’s internal security mechanism. Seems ridiculous that this terminal would wipe itself just due to a low battery, but it does. Keep it plugged in when not in use.

Apart from this, the best way to prevent false tamper device errors is to handle the terminal carefully. You’d be surprised how often these terminals go through extreme conditions in hot and cold areas sitting in the back of a truck or van. Don’t drop it, freeze it, overheat it, spill anything on it, and generally treat it more delicately than you would a cell phone or other portable device.

There was a large data breach announced today by Visa and Mastercard. I think more than ever, this breach shows how dangerous the media is at blowing a story our of proportion before anyone actually know what the details are.

What is known…

Most likely a parking garage, or network of parking garages, suffered a data breach, most likely in the state of New York. Global Payments was most likely the processor for this business. That’s about it!

Here’s what the media shows:

Point being, that some publications like to blow the proportions of a story out of the water before there’s any fact to the story. Time will tell what has actually happened and it may be a very bad situation. But, the difference between 50,000 cards as reported in the Wall Street Journal, and 10,000,000 cards as reported in MSN’s red sheet, is incomparable.

And consumers and the government wonder why businesses don’t always come right out and tell everyone.

We recently partnered with a company, ShopKeep, to provide a point of sale (POS) program for iPad and Mac computers. It’s often a tough decision for a merchant to move up from a simple credit card terminal to a POS system as there can be significant costs and time in training and implementing a POS system. POS systems traditionally handle inventory and pricing in addition to acting as a businesses cash register. They are often locked into specific credit card processors that don’t always have good customer service or reasonable rates. The ShopKeep POS system is a great stepping stone for merchants that are looking to move up to an entry level POS system.

ShopKeep Overview:

ShopKeep POS is built to use an Apple iPad as the base computer for the system. It is essentially a web based software service that performs the normal functions of a point of sale system. From there a magnetic credit card reader is added in addition to a stand and a cash register for most merchants. This system tracks inventory and will support bar code readers, printers and a variety of other traditional POS requirements. Currently ShopKeep is only available to merchants located in the US and Canada.

Hardware:

The magnetic card reader is the Magtek idynamo or dynamag which are completely secure card readers that encrypt a transaction as the card is being swiped. Printers, bar code scanners, display stands, cash drawers, and other traditional peripherals can be added to an iPad allowing ShopKeep to replace most traditional POS systems.

Since ShopKeep is built using an iPad, it makes a very sleek, compact, and high tech looking POS system.

Software:

The ShopKeep software is easy to use and can be customized to fit a business’s specific requirements even with multiple locations. ShopKeep processes credit card transactions over the internet by connecting to a payment gateway. This facilitates near-instant processing times as long as an active internet connection is available. It also enables inventory and pricing to be controlled centrally if a merchant has more than 1 location. ShopKeep handles sales tax and tips and other common functions as it should.

Like most Apple software, and unlike many POS systems, the merchant interface is well thought out. Screens are clean, easy to read, and easy to advance or back out of. User priviledges can be controlled for greater security. Sales and inventory reports can be built, and customized down to individual inventory items. ShopKeep can export several file types into quickbooks accounting software. The software should meet the requirements of most small to medium size retail merchants.

If you’re in the market for an entry POS system, or you have an iPad that you would like to use for your processing take a look at the ShopKeep iPad POS System.

The Verifone Omni 3750 and 3740 are on the way out. I’ve received notice from several processors that they will not longer support the 3740 or 3750 after October 31st, 2012. Unlike many phase out’s, most that I have heard from will no longer allow these terminals to process at all. The replacements for the 3740 and 3750 are the Verifone VX510 and the slightly more advanced Verifone VX570. Both of these terminals are available in dial only or dual comm versions which include the ability to process securely over the internet.

If you are using a 3740 or 3750, it would be wise to see if your processor is going to continue support for it. Otherwise, start shopping for a new terminal before they cut yours off completely.