I’ll avoid stating why I think they’re doing this, cough… Durbin… cough, cough…., but starting in April 2012, Visa has added a new charge to all merchant accounts. These additional fees are fixed per month, and are based on a merchant’s business type and the number of location or volume they process.

In the mix, Visa is lowering their network acquirer processor fee from $0.0195 to $0.0155 per authorization. They are also adding a $.10 fee to some debit transactions that don’t meet certain processing criteria.

However, all businesses can expect to see the following changes.

For some businesses this may result in reduced fees but it’s likely that many businesses will see an increase in their monthly bill as a result of the FANF fee. MasterCard will be introducing new and similar fees as well starting in July. Stay tuned to see what those turn out to be.

I hate to say I told you so, but once again the Walmart’s and super retailers got their wish and the rest of the businesses out there end up with a higher cost. It’s unfortunate that organizations like the NRF don’t have the foresight to stop lobbying for super retailers at the expense of the businesses they supposedly represent. Thus far, the Walmart lawsuit a few years ago and the Durbin debit regulation have drastically increased the complexity and the costs to most merchants in the US.

In the thick of the IRS reporting madness, the IRS has formally made a statement with regard to the new IRS reporting rules.

In a letter to the National Federation of Independent Business, the IRS said Wednesday it would not require retailers and others to explain how and why their business income differs from their credit-card receipts, which Congress now is requiring card companies to report separately to the IRS.

“There will be no reconciliation required” for the 2012 tax year, “nor do we intend to require reconciliation in future years,” said a letter to NFIB from IRS Deputy Commissioner Steven Miller.

Processors have spend millions of dollars and hundreds of thousands of hours trying to meticulously match business information with what the IRS has on file. I’ve strongly opposed the bill since it was first written about 5 years ago. This is an example of a bill that should never have been passed in the first place. It wouldn’t have worked except in all but the most egregious cases of tax evasion and caused an inconceivable burden to processors and normal businesses in the US.

The IRS and US government should issue a formal apology for causing countless time and money to be wasted for just about every US business. My only hope is that this is the first step in completely retracting it.

The online retailer Zappos just had a data security breach where they lost 24 Million customer’s personal information records. This loss included names, addresses, email and phone numbers, encrypted passwords, but did not include credit card information.

No doubt that thoughtful security planning prevented the loss of credit card or financially sensitive information. However, it doesn’t really lessen the reality that the repercussions from the Zappos breach could be huge. Does data security go far enough if we accept that personal information is completely acceptable to be lost as long as financial information is not?

With the amount of personal information that was obtained in the Zappos breach, the thieves have a very lucrative marketing or hacking information package.

On the marketing side

Companies pay a lot of money for targeted marketing lists like the one that Zappos inadvertently provided. Let’s see, here’s a list of 24 million people that definitely buy things online, most likely shoes or clothing items, FIRE AWAY…

This information is a telemarketer or direct marketer’s dream, and they can target these known shoppers via phone, mail, and email.

On the hacking side

I can almost guarantee that Zappos customers are going to receive an onslaught of highly engineered spam, viruses, offers, and everything else to their emails. At the same time they are going to start getting physical spam, and scam offers, and probably are going to see telemarketing scams as well. There’s really no limit to how the information can be used for malicious purposes. Scam companies and hacking groups trying to install mallware and spyware are extremely efficient and proficient at developing well planned attacks on unsuspecting users. There are millions of computers called zombie computers because they are being used to send spam and other malicious activities without the knowledge of their owners. Expect some more.

As to the encrypted passwords. Websites typically use 1-way hashing mechanisms for password storage. This means that the password is encrypted, but cannot be decrypted by any reasonable means. The caveat to this is that if the hacker knows how the password was hashed, they can create a huge list of hashes and compare them to find the original. This is a very targeted attack, but with 24 million passwords it’s worth a lot of effort. They will begin finding real password very quickly if they discover the hashing mechanism. Since many users do not use unique passwords between websites, the direct loss from being able to log into user’s bank accounts, or other websites will be significant. I always recommend using a unique password with every site you log into, and use a password manager like roboform.

The reality

The reality of this situation is that Zappos is owned by Amazon.com. I can guarantee that Zappos has some stout security in place, and yet one of the largest, most tech oriented companies on earth, just had a data loss of 24 million records. This tells me that that standards we have in place for protecting data, especially non-sensitive data, are not enough. We should not just be protecting financially sensitive data, but all customer data. Sure there may be no direct cost in replacing bank cards, or obtaining new bank account numbers, stopping checks, or posting chargebacks, but the effect to the customer when you lose their data can be remarkable. We’ve yet to see the actual damages that this breach causes, but with the sheer amount of information out there, there could be substantial damages.

In case you haven’t been paying attention to the US political landscape, there is currently a bill in progress dubbed the great American firewall. It is a thoughtless overreaching nightmare’ish bill that claims to be for preventing copyright infringement.

Please read up and understand the implications of what this bill will do. There has never been a more 1984esque bill to be taken up by both houses of congress. It is absolutely ridiculous that our country would go this far just to help the massive media corporations under the veil that they are doing it for the good of the people. While supportable in concept, this is one of those “the road to hell was paved with good intentions” bills in what it will actually do.

Please contact your congress person and oppose this bill.

By now, the majority of merchants in the US have been informed of some impending IRS reporting requirements for their merchant account. I blogged about this congressional mandate several years ago and since we’re finally past the day of reckoning, let’s revisit how this is exactly going to affect your merchant account and your business.

An Overview

Some time back, the IRS decided that they wanted to see a report of all the money that a merchant processes through their merchant account over the year.

While this is a nearly useless number because as we all know, most businesses also accept cash, checks, and other currency, it will in theory catch the most egregious tax evading businesses. Basically, the few fractions of a percent of businesses that grossly cheat on their tax returns “could” get caught. Regardless of the absurdity of requiring the entire country disclose their processing volumes, here we are…

Now for this to work, your processor has to file a 1099 form with the IRS. This is a seemingly simple task. However, for this to actually work, your business information with your processor must exactly match what the IRS has on file. This includes business name, address, your tax id, etc. Things as simple as capitalized letters, a single space, and punctuation will cause a mismatch. You get a new tax id after opening up a merchant account. You signed your application with only your SSN and not your tax id number. Things like this will cause errors. Since it’s rare that merchants fill out their merchant applications with the exact same business information, with the exact same capitalization, and spaces as they do when they fill out their tax information, and nothing changes with their business-IRS relationship, it’s fair to say a lot of tax reporting information will not be valid.

So, what if the tax information is not valid?

So, here comes the nasty part. The IRS mandates that your processor will withhold 28% of all credit card payments until the errors are corrected. Yes, 28% of all of your credit card sales with be held until you fix whatever information is incorrect. And, even if you fix the problem, you wont get that 28% back until the end of the year.

More fees

Most likely you have or will receive notice that you are going to be charged for the work required to verify and prepare this massive undertaking. I’ve seen everything from several hundred $ per year, to a few $ per month. The reason you are being charged this fee is that it actually requires a lot of work to verify and prepare one of these documents for a merchant. Processors often have thousands, or tens of thousands of merchants, which translates into thousands of man hours in just the initial verification, not even taking into account contacting every merchant that has errors to obtain the correct information. If you didn’t authorize e-file for your 1099, your processor needs to mail you a physical form.

Exceptions

The exceptions to the filing requirements are:

1. a merchant’s total payment transactions for the year does not exceed $20,000, and
1. the total number of transactions does not exceed 200

In which case your processor will not need to file a report. This may consist of a good percentage of businesses out there, but most full-time businesses process more than $20,000 per year.

Conclusion

It’s unfortunate that the reporting regulation was ever passed. It’s a useless piece of legislation that creates a lot more work for small businesses and it’s unlikely that the reporting will catch any but the worst tax offenders. But, it’s passed and taking effect and there’s not much any of us can do about it at this point. No matter who you process credit cards with, keep a close eye on the mail and your processing statements for instructions on how to verify your information. My recommendation is to take it very seriously to avoid the 28% withholding.

First off, I wish everyone a great 4th of July weekend. Banks will be closed on Monday and it looks like most people are starting their weekend today anyway. Be safe this weekend and be very careful with fireworks if you live in one of the drought stricken areas like myself.

The past month has brought monumental changes to the payment processing industry.

Mobile frenzy

Mobile payments seem to be on the fast track with just about every tech related company steaming ahead at trying to be the first with a workable and widely adopted mobile payment method. Even Google has jumped in, despite Paypal’s arguments, and hopes to be a major player in mobile payments. If the Google Checkout service is any indicator of Google’s success in mobile payments, they simply aren’t going to make it. However, with their success in the mobile android operating system, and their already massive relationship with businesses, Google may have a chance at something.

Debit Interchange Regulation

The biggest news of the month, is the regulation of debit interchange. After fierce battling for more than a year, debit interchange is to be regulated to $.21 per transaction and .05% per transaction. As written, this applies to all debit card transactions, PIN or signature as well as Ecommerce/MOTO transactions. It’s not entirely clear when and how this will take effect but stay tuned over the next months.

The biggest winners in this regulation are once again the super retailers who process millions of transactions per year. Small and medium size merchants can expect savings, but it will not likely be anything as monumental as the Walmart’s and Amazon.com’s out there. There’s going to be a lot of misinformation flying and aggressive marketing over the next year as many processors will take advantage of the turmoil, misinformation, and instability in the merchant account industry. I would strongly suggest exercising caution in anyone making sensational claims about lowering your rates. Major industry changes offer the greatest opportunity to get scammed into a bad merchant account. Just remember that almost every processor has roughly the same hard costs, so if they are unrealistically lowering fees in one place, they have to make them up somewhere else.

Expect major checking account changes

As a result of banks losing roughly 50% of their revenue from debit cards, we should all expect drastic changes to our personal and business checking accounts over the next year. I know that all of my business and personal debit rewards have been canceled over the past 3 months. I think that debit rewards are the tip of the iceberg, and we should expect changes in debit and checking account fees and overall debit availability over the coming months. Some smaller banks have rumored that they will be dropping debit cards completely, so it will be interesting to see where this all ends up a year from now.

It’s a mute point to argue my position on the interchange regulation at this time. Retailers may be chocking this up as a victory, but don’t start celebrating yet. This regulation may seem like a small amount. Personally I think this regulation will change the way we do banking in the US, and could very well effect the entire retail economy, not necessarily in a good way. The next few years will give us a better picture of what these regulation have done to the retail industries and checking accounts.

A long time ago I wrote an article about credit card skimming. It remains the most visited page on this blog, I believe, because credit card skimming is one of those concerns that apply to both consumers and to businesses.

About a year ago one of the founders of Twitter and some other talented business persons came up with a mobile payment method called square. Square is a very tiny card reader that attaches to the audio port on a smart phone. It’s truly a clever little device that utilizes an existing port that just about every phone has. Merchant’s can sign up with Square without any fee and just about instantly process. Because of the ease of setup, there’s been some angry customers with money held, but something like this should be expected as the services operates on a similar model to Paypal. Square got some quick funding, and went off to the races faster than any payment related service in history. However, there’s a problem…

Unfortunately, Square also introduced one of the most efficient and low cost methods of creating an advanced credit card skimmer. When you sign up with Square’s processing service, you get the square for FREE. That’s right, for free you can turn your iPhone into a credit card skimming device. Thieves don’t even have to pay the $50 or so for a skimmer anymore, they get one for free. Not only is Square efficient and free, but they’ve already distributed hundreds of thousands of these little skimming nightmares all over the US.

A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.

There are 2 major problem with the Square hardware.

First, the square device does not encrypt data being transmitted between the reader and the phone. This could easily leave the service open to a targeted attack where other software could read the card information when it is being transmitted between the reader and the phone. This sort of issue may never be a major problem as it would take very specific software or a compromised phone for this flaw to be taken advantage of. However, it still remains a security possibility, one that cannot be overcome without updating the hardware completely.

Second, since the hardware has no encryption or secure link between it and the phone/square service, a programmer could easily write a program that would simply record the card information onto a database or file on the phone. This is the main problem that Verifone and many others are up in arms about. With the large memory cards that are commonly found in phones, a thief could theoretically store millions of card numbers on their phone. Additionally, since just about everyone has a cell phone, it is considerably less conspicuous for a thief to skim cards with a phone than with the dedicated skimmers which look something between a pager or a magnetic card reader you would see attached to a computer.

This morning, VeriFone launched an entire website dedicated towards bringing down square. While VeriFone is a direct and probably the largest competitor of Square with their PayWare Mobile App, they have quickly illustrated not only that the square can be used for skimming, but that there is software that can already be used with the square hardware.

The problem now is that there are tons of these square credit cards readers all over the place, so the damage has already been done. At this point there’s literally nothing that can be done to prevent skimming using square devices. There’s even applications for blackberry and android that already work with the square hardware even though it was designed for the iPhone and iPad. I think that this sort of hardware is a perfect example of what happens when a company pushes software or hardware without putting enough in the research in how to make it secure. There’s more than 1 way to steal a credit card number…

With the amount of focus on PCI and data security of the last 10 years this is a blatant disregard for the most basic best practices, even those established 10 years ago. Twitter may be a whimsical concept, but there’s really nothing amusing about completely botching credit card data security at the expense of consumers and the businesses whom accept those stolen cards…

Update 03-10-2011

So, Jack Dorsey issued a rebuttal to VeriFone‘s website and statements about the Square.

Second, as Dorsey points out, credit card fraud is not new. Every single time you hand over your credit card to someone (whether it is a merchant using Square, or any one of the dozens of other credit card input methods) you are trusting them not to steal it. Criminals steal credit card numbers all the time, both online and offline. But it happens, and when it does, consumers are not liable for fraudulent charges, the credit card companies are.

What’s not fair or accurate is Jack Dorsey’s fundamental lack of understanding of how the credit card industry works! Any merchant knows that if they accept a credit card that was stolen, they are liable for the fraudulent charges. There’s no magical credit card company that’s going to float in and take responsibility for it. The merchant loses when it comes to credit card fraud, plain and simple.

This disregard to merchants all while Square is trying to sell them a processing service is simply insulting. I’m a merchant as well, and this is just disrespectful.

After reading this, I am completely convinced that Jack Dorsey and Square have no business providing a payment service of any type to anyone. Stick to tweeting…

Chase just release information that they are considering capping all debit transactions to $50 maximum.

This is in response to the $.12 debit card interchange regulation battle that is waging between banks and retailers. I will refrain from commenting on the debit card regulation at this point. I’ve made my views and concerns known to the federal reserve board. What I will end with is that the entire debit and credit regulation concept is far more complicated that many would like to believe. It cannot be simply capped without major repercussions perhaps large enough to hurt the entire US and world economies. Something as important as this should not be attached to major bills and should be voted on separately as this specific regulation was not.

Friendly fraud is one of the most frustrating expenses a business owner will ever deal with. Friendly fraud is when a customer utilizes the credit card chargeback system to get a refund on a completely legitimate and honest purchase. It most often occurs in online business as it is very difficult for a business to win chargebacks, especially chargeback codes 53 and 4853, item not as described. “Item not as described” is such an ambiguous reason that a customer can request a chargeback, it’s simply unfair and often abused.

Traditionally, merchants receive zero benefit-of-the-doubt from card issuers when it comes to chargebacks, mainly because issuers make much more money from their card holding customers than from the merchants that accept them.

MSN’s red tape chronicles recently outlined a changing landscape for cardholders that stands to greatly benefit merchants. Banks are finally starting to crack down on friendly fraud type chargebacks. Banks aren’t doing it specifically for the benefit of merchants, as they found that customers whom initiate a large number of possible friendly fraud chargebacks are also those often in financial trouble, it will nevertheless benefit merchants.

In a recent survey, it was found that more than 1/5 of fraud loses come from friendly fraud scenarios. Reducing fraud loses by even 5% overall would be a huge achievement, and would account for almost $7 billion dollars per year in recovered revenue for merchants.

It just goes to show that US government anti-trust regulations do not apply to B2B organizations!

Verifone just acquired Hypercom corporation. This effectively removes all legitimate competition from the US credit card terminal market. Verifone’s own products have suffered a decline in reliability and quality starting 5 or 6 years ago, so naturally Verifone began purchasing competitors. They started with wireless leader Lipman, and then acquired Way Systems, and now have taken down the last barrier, Hypercom. Verifone stated that this acquisition was to expand their presence in the European market, but make no mistake it removed their last competition from the US market completely.

I don’t want to forget Ingenico whom is one of the worlds largest terminal manufacturers, however they are a mere drop in the bucket in the US and sell almost exclusively to large chains and direct placement deals that normal mom and pop merchants will never see.

I’m personally appalled that the government allowed this transaction to take place. On the bright side, if Verifone cannot produce a higher quality product, there’s several smaller manufacturers that are already gaining serious ground, most notably Dejavoo, ready to replace Hypercom. This will provide the perfect avenue for Dejavoo and others to become much larger terminal brands (until Verifone purchases them of course). Dejavoo’s product is far superior to Verifone or Hypercom and is cheaper than either.

I’m seriously holding back words on writing this. The impact of this on the credit card terminal industry would be comparable to Walmart purchasing Target or Microsoft purchasing Apple. This sort of acquisition is the reason that anti-trust laws exist. It’s unfortunate that the government’s priorities are so far removed from the B2B industries of the country.