A few weeks ago Arkansas passed a law that would cap merchant account termination fees to $50, or one month’s minimum charge.

Download Arkansas Act 911 ^.pdf

This law was passed un-democratically “quickly” as the Arkansas congress drafted, and passed it without any notice to media, processors, banks, citizens, or even merchants until the law was written.

As far as the law itself, it mainly requires processors to be transparent in the contract length, and any termination or other fees that would be incurred if a business closed their merchant account before the contract was ended. It ensures that merchants can read the contract because it goes as far as setting a minimum font size for the merchant application. The law does not provide any protection for businesses in leases, or other equipment related recurring fees or charges. It also only applies to businesses signing up after July 31, of this year.

Overall the fee transparency is something that a lot of ISO’s need to address better. Capping termination fees without any input from processors is completely unfair, even though termination fees are often excessive. The law is trying to help businesses from getting scammed but because of some poor editing, it isn’t going to do anything.

Here’s where they went and messed the whole thing up:

(d) The foregoing provisions of this chapter do not apply to:
   (1) A state bank or a state savings association that offers a credit card processing service;
   (2) A national bank or a national savings association as defined 31 in 12 U.S.C. 1813, as it existed on January 1, 2007, that offers a credit card processing service; or
   (3) The parent, affiliate, or subsidiary of any bank or savings association that offers a credit card processing service.

Well, they effectively voided out this entire document with #3. Since every legal ISO is an affiliate of a bank, this law no longer applies to anyone, unless they are somehow providing services illegally, in which case they probably have other things to worry about. Someone obviously was mad, in a hurry, and forgot to do their research because it doesn’t take much see the conflict.

I guess that’s what happens when you pass a law without any public notice or input.

If you are in the process of, or have applied to accept credit cards for your business at some point, there’s a good chance that you found or were found by several merchant service providers. And chances are you based a large part of your decision on who to process with, from the processing fee. The processing fee, while important, is the most overrated and overvalued fee that a business can pay attention to.

Here’s why…

The majority of businesses are only going to process a few thousand dollars per month. While most of us fantasize about doing millions of dollars in sales each month, it just simply wont be the case, ever. Because of this invisible cap on sales, and the fact that every decent merchant account provider is going to have a similar processing fee, you will pay about the same amount in processing fees no matter what company you process with. However, the other fees that are associated with your merchant account can tip the scale between affordable and a complete rip off.

Just to clarify before I go any further, I always recommend businesses not shop based solely on price. However, those fixed and extra little fees that you weren’t told about up-front, ignored because they were really small, or simply didn’t understand, are going to have a big affect on what you will actually pay to accept your customer’s cards. When those fees are hidden or not disclosed, it’s a pretty good sign that you found a company that you may not want to do business with.

And now the facts:

Let’s say a company processes twenty thousand dollars per month, with a volume two thousand transactions (Average sales of $10). The difference between 1.69% and 1.75% over $20,000 is only $12. Not really anything to call home about.

Now lets say the provider with the 1.69% rate is charging $.25 for each transaction while the other is charging $.20. That comes out to a difference of $100 per month, which is probably something worth considering. A difference of $.01 per transaction will have more affect on the monthly cost than .1% in processing fees.

In this case: 1.69% & $.25 = 2.19% & $.20.

The processing fee in the second scenario is over 75% higher, but the cost is the same as the perceived lower rate.

When you start to add in things like $.05 AVS fees that you didn’t know about (You mean they charge me for that, and it’s required?), maybe a Watts surcharge of $.05 (what the hell is that?), and maybe even some fee listed in the miscellaneous section for $.05 (run away now…), the extra cost adds up really fast. You don’t even need to take into account things like downgrade fees, which can double your monthly bill, to see that little fees can make a huge difference at the end of the month.

My advice to anyone looking to accept credit cards, or anyone looking to find a new processor, is to stop looking at the huge distraction called the processing fee, and look at everything else you will be paying. Your books will be far better for it, and you will truly find out what kind of company you are dealing with.

I have to clear up some misunderstanding about what to do when you receive a chargeback.

So, you open your mailbox one day and see a letter from your merchant service provider. You open it and realize that it is a chargeback letter for a transaction that took place a few months ago, and upon examining the letter you notice the chargeback reason code is: 85. After looking up what this chargeback reason code means, you realize that it is because you forgot to issue the refund that you had promised the customer.

You log into your virtual terminal to find the transaction, and go to issue a refund. You might as well correct the situation now, since your customer is expecting their refund right? —- Wrong!

Once you receive a chargeback, you do not want to issue a refund to that customer. No matter if the situation was as described above, or if your customer is standing at your counter. When you get a chargeback, the money from that transaction is immediately withdrawn from your account. If you go and issue a refund now, you just paid your customer back twice. I know that refunding your customer is the best customer service that you can do, but if the chargeback wheels are already in motion, you need to go ahead and let the chargeback work itself out.

If you do issue a refund, and the customer was already reimbursed from the transaction, you need to contact your processor immediately and explain to them that you issued a refund. Since it takes several days for a refund to be completed, there is a chance that you can get your money back if you act quickly, but time is working against you. Once the refund hits your customer’s bank account it can be considerably more difficult, and many times impossible to get the extra refund back.

Once a chargeback is initiated, check to make sure that you had not issued a refund at an earlier time, and then follow the instructions on the chargeback letter. If you had already issued a refund on this transaction, let your processor know. I have seen Amex allow chargebacks on transactions that have already been refunded, and I’m sure that it has happened with other card issuers as well.

We just got a letter in the mail today, that American Express is requiring our business to maintain a rolling reserve on our American Express merchant account. This news came as a huge surprise since we have only had one Amex chargeback in the last two years, over thousands of Amex transactions.

As a business that uses a merchant account in addition to providing them, we like to experience everything from our customer’s points of view, but this is definitely one of those situations that nobody wants to be in. Amex makes up about 25% of our transactions, and a reserve puts a marked dent in our income.

Anyway, if you’ve had a similar situation to this with Amex or another merchant account provider please share it. I would love to see if this is an isolated event or if Amex commonly places reserves on large ecommerce businesses with clean history.

A week and a half ago, visa released a list of POS and other software programs that are storing prohibited data. Prohibit data is in reference to magnetic card track information, which Visa and Mastercard specifically prohibit merchants from storing.

These programs store prohibited data and must be replaced or patched for a business to be processing legally:

• ICVerify All versions prior to 2002, V2X and lower.
• Menusoft Systems Corp. All versions using DDserv.dll prior to V7.3.0350
• Micros8700 HMS: V1 – V2.11.9, V2.5 – V2.50.20, V2.7 – V2.70.14; 9700 HMS: version prior to V2.5; RES 3000: V1 – V3.1.2, and V3.2.0
• Posera Software Maitre’D Versions Prior to V2002, Prior to V2003 SP 11, and prior to V2005 SP 3.
• Radiant Systems Aloha: Prior to V5.3.15
• Southern DataComm (SDC) All versions of ConnectUp, All versions of PopsOn, ProtoBase 4.7-x – 4.80-x, and PbAdmin versions 4.01-x and 5.00-x

Businesses need to make sure that their POS system is properly patched. Radiant Systems Aloha, and Micros have a huge number of users, so it is very likely that many businesses using these systems may need to patch their current software.

Don’t neglect this!!!
Businesses with these software systems are especially vulnerable and will no doubt be targeted by hackers and thieves for the data that they possess. With full track data, a thief could potentially make exact copies of real credit cards, which is much worse than simply loosing card numbers.

Additionally, businesses that are not compliant risk having major fines assessed against them. If your business is using one of the POS systems listed above, immediately check to see if it needs to be upgraded.

I just got word that Verifone is making an industry wide increase on prices on many of the popular terminals that they offer.

My guess is that Verifone is tired of competing with themselves and is only making this increase because there is no competition that can stand up against them. Since Verifone owns Lipman as well, they have a complete dominance over the entire processing equipment market. Raising their price is a smart move for them because almost all equipment being used is theirs. It also sucks for business owners and equipment resellers as many terminals are going to nearly double in price.

Terminals that are going to go up in price in the next few months:

• Omni 3200SE
• Omni 3740 Dual Comm
• Omni 3750 Dual Comm
• Omni 3730/3730LE
• VX 570/VX 570LE
• VX 610
• Nurit 8320
• Nurit 292 Pinpad
• Verifone P250 Printer
• Verifone P900 Printer

There are also a few other increases on a few rarely used pinpads, and printers.

This definitely appears to be one of those situations, antitrust regulation were made to protect against. Unfortunately nobody paid any attention to an obvious monopoly in the making when Verifone purchased Lipman last year.

In the green sheet this morning, there was a good article about how credit card interchange is still under fire. Especially since some of the more signifigant updates with the interchange schedules this April (Visa adding a new category of cards), interchange is again under the microscope.

At least a dozen bills pending in state legislatures address topics related to interchange, according to the NCSL. Here’s a rundown of several key initiatives:

• Two bills introduced in the Florida state legislature would require refunds to merchants paying interchange on sales taxes.
• Legislation pending in Kansas would require that merchants have better access to information related to interchange rates. It also defines interchange fees for purposes of state law.
• A bill pending in Nevada would prohibit interchange on certain transactions.
• In Oklahoma, legislation has been introduced that would prohibit certain contract provisions regarding merchant transaction fees.
• Lawmakers in Tennessee are considering legislation that would cap at 0.75% all processing fees associated with credit or debit card transactions. The proposal would apply to contracts entered into with merchants by banks or their agents after July 1, 2007.
• Texas lawmakers have a bill before them that would require more transparency in disclosing interchange and related processing fees. A tougher bill, introduced and quickly withdrawn in March after a large consumer letter-writing campaign, would have allowed retailers to surcharge credit and debit card payments to cover processing costs.
• In Washington state, lawmakers want to restrict interchange to 1.5% of the total cost of a retail card transaction.

Now, I can completely agree that interchange needs to be more transparent. As far as showing how much interchange is paid, itemized for every transaction that a business processes, it may be a little excessive. Imagine a business that processes a million or even ten thousand transactions per month, have fun with that statement.

From what I read on a weekly basis, lawmakers and interchange activists often completely miss the concept of interchange, and therefor are not developing strong arguments in trying to get interchange reduced or even more transparent.

Here’s what I think needs to happen before any major interchange changes are made:

1. The first step in making any progress towards a more transparent and potentially lower interchange, is going to be a more widespread understanding of what interchange is and where the fees go. There is so much inaccurate information and opinions as to what interchange is, and what it is being called, that it is hard for anyone outside the industry to know what is fact.
2. There needs to be a much better understanding of who interchange fees actually are paid to (Most of interchange does not go to Visa or MasterCard).
3. There needs to be an understanding of what processing fees are, in relation to interchange. (Tennessee capping processing fees to .75% is going to do nothing but stop Tennessee businesses from being able to accept credit cards.)
4. There needs to be some understanding that the billions of dollars in equipment that makes up the processing networks costs billions of dollars to maintain. Also, Visa, MasterCard, all of the processing banks, ISO’s, MSP’s, and other organizations that are needed to actually provide the processing services, employ tens of thousands of people and can’t run for free. (Yes there are many overpriced organizations out there, and ones that are just trying to rip business owners off, but there are good ones too.)
5. Someone in congress is going to have to start caring before anything changes. Currently, there aren’t any congressman that have shown any remote interest in regulating interchange on a national level.
6. Card holders are going to have to stop getting cards with huge rewards programs. Interchange categories are based on rewards programs associated with specific cards. This is also the reason that interchange is so complicated and keeps getting more expensive. The more rewards your card has, the more that a business has to pay to process it.
7. Most Importantly: Consumers are going to have to take interest in what businesses have to pay to process their credit card. The sad fact of doing business in the US is that nobody really cares about how much a business has to pay for anything. If consumers started complaining about interchange, you can be damn sure that things would change quickly, but as long as consumers are happy with their super rewards cards, and they still want faster, more convenient ways to pay, interchange will go nowhere but up.

I was checking out this chronology of data security breaches this last weekend, and I realized that the amount of breaches that have occurred is absolutely amazing. Over 150 Million records have been compromised in the past two and a half years, and this number doesn’t take into account the fact that the number of compromised records for about 1/3 of the total number of breaches is unknown.

From looking at this we can observe a few solid facts about data security breaches in general. First, the three most common reasons for data to be compromised are lost and stolen laptops and storage devices, disgruntled employees, and hacking.

The Top five data security breaches are:
TJ Max (45.7M) – Massive long-term hack
CardSystems (40M) – Hacking of unencrypted data
U.S. Dept. of Veteran’s Affairs (28.6M) – Stolen laptop (No data has been used to date)
iBill (17.7M) – Inside
Georgia Dept. of Community Health (2.9M) – lost disk

These are breaches relating to banks and financial institutions:
CardSystems (40M) – Hacking of unencrypted data
iBill (17.7M) – Inside
CitiFinancial (3.9M) – Lost backup tapes
Bank of America (1.2M) – Lost backup tape
Wachovia, Bank of America (676,000) – Inside
Providence Home Services (365,000) – Stolen backup tapes
Mortgage Lenders Network USA (321,000) – Inside
Ameriprise Financial Inc. (260,000) – Stolen laptop
Ameritrade (200,000) – Lost backup tape
Fidelity Investments (196,000) – Stolen laptop
Iowa Student Loan (165,000) – Lost laptop while being shipped
Firstrust Bank (100,000) – Stolen laptop
People’s Bank (90,000) – Lost computer tape
MoneyGram International (79,000) – Hacking
Mercantile Potomac Bank (48,000) – Stolen laptop
J.P. Morgan (47,000) – Tape drive missing
PayMaxx (25,000) – Accidentally exposed online
Bank of America (18,000) – Stolen laptop
Premier Bank (18,000) – Stolen data
KeyCorp (9,300) – Stolen computer
North Fork Bank, NY (9,000) – Stolen laptop
Univ. of Michigan Credit Union (5,000) – Stolen documents
Chase Bank and the former Bank One (4,100) – Documents left in desk that was sold
TransUnion (3,623) – Stolen computer
AllState Insurance (2,700) – Stolen computer
Equifax (2,500) – Stolen laptop
Sovereign Bank (Thousands) – Stolen laptops
West Shore Bank (1,000) – Security break
Westborough Bank (750) – Inside
Ceridian Corp (150) – accidentally posted personal data on website
City National Bank (Unknown) – Lost backup tapes
J.P. Morgan Chase & Co. (Unknown) – Stolen laptop
J.P. Morgan (Unknown) – Information found in trash
Bank of America (Undisclosed) – Stolen Laptop
Bank of America (Unknown) – Internet by former contractor
Bank of America (Limited Number) – Stolen laptop
La Salle Bank, ABN AMRO Mortgage Group (2M) – DHL lost but later found backup tape
Wells Fargo (Unknown) – Stolen computer
M&T Bank (Unknown) – Stolen laptop
Matrix Bancorp Inc.(Unknown) – Stolen laptops
U.S. Bank (Small Amount) – Stolen briefcase
VISA/FirstBank (Unknown) – Visa card processor’s compromised data
Home Finance Mortgage, Inc. (Unknown) – Accidentally discarded files
Columbia Bank (Unknown) – Hacking

How we can stop all of this:
The current focus on data security seems to resolve around PCI / CISP compliance and keeping data protected and properly stored. In truth, not storing sensitive data on portable devices would do far more good. The biggest reason of data compromise is stolen or lost laptops containing sensitive information on them. Many of the stolen incidents were from a personal vehicle or their home. Five data loss incidents by a single company (Bank of America) is completely unacceptable. Companies, especially ones where trust is a huge factor (Banks) need to take a much more serious approach to securing information. Only three of these data losses at financial institutions were due to hacking. There really is no excuse for the rest of them.

The next thing that I find particularly upsetting is that a huge overall percentage of the laptops and portable storage related losses were from government agencies, and the majority of all losses happened at universities or other educational institutions. Our government and educational institutions are obviously not being cautious enough with personal information. I wont list all of these because it would take about 10 pages to get them all in.

The bottom line is that everyone needs to take some common sense precautions to data security. The newest two million bit encryption, and all the security in the world isn’t going to help when an employee looses a laptop with sensitive information on it.

I’m a few days behind on this one. I completely forgot to write about it last week, but the PCI and Data Security Compliance Blog reminded me when I saw it in my feed reader.

Last week, Texas legislation passed a bill that makes businesses liable for any monetary expenses resulting from data security breaches of their company. The data that is specifically covered under this is credit card or other magnetic or chip stored information, and personally sensitive information. The bill also states that businesses must safeguard sensitive information and that they must take action if a data security breach is discovered.

Businesses will be responsible for any costs that a financial institution incurs when they have to replace customer’s cards that may have been compromised as well as repay the financial institution’s legal fees. More importantly, the business is completely liable for any refunded transactions that the bank has to make to the customer (This is the first time that I have ever seen a bill, law, or regulation that takes chargeback liability from the business that actually accepted the card.) Also one of the only logical regulations I have seen regarding the payment processing industry.

The bill does not specify how the data must be stored, so any business that keeps copies of sensitive data, either in an electronic database, or on paper, is subject to this bill. Also, businesses that are PCI compliant are protected.

This is an extremely important bill and I imagine that many states are likely to follow suit. In my opinion the most significant part of this bill is placing liability on the business where the breach occurred. Realistically, this could be a very positive change for online businesses and others that are subject to stolen card fraud. I’m not sure if there is a measurable percentage of fraud that occurs from breaches, but if there is it could definitely help take the load off businesses being hit with this type of fraud.

Texas BILL HB03222E (text document)
Actual Texas BILL HB03222E

Other blogs about this law:
Texas first state to make PCI law – pcianswers.com
PCI Codified into Texas law (nearly) – pcidss.wordpress.com
The Law of PCI – blog.ncircle.com
PCI Takes A Twist – blog.loglogic.com

Once a merchant account application is submitted by a business, there are several steps that it must go further through before a business can get setup accepting credit cards.

I very often see merchant account providers making same day setup guarantees to potential customers. While I’m in no way saying that it isn’t possible to set a business up the same day, this is most often nothing more than a marketing scheme. Depending on the back-end processor, some take a minimum of 24 hours for the actual merchant account to go live. In cases like this, there is nothing that any business can do to speed up the process.

The Steps:

1. Application is submitted by the business owner to the sales agent or the ISO’s applications department.
2. The application is reviewed to ensure that no required information is missing.
3. The application is manually entered into the processor’s underwriting system.
4. Depending in several risk factors, an instant approval may be received at this point.
5. If there was not an instant approval, the application is placed into the underwriting department’s quee.
6. The application is reviewed by an underwriter. The underwriter can approve the application, decline it, or request additional information. The ISO’s applications department is notified of the status change of the application.
7. If additional information is required, the ISO will get the required information (could be utility bill, marketing material, etc.) and resubmit it back to the underwriting department.
8. Once the application is approved, the ISO will setup the software, payment gateway, or credit card terminal for the business to process with. (After the application is approved, it normally takes about 24 hours before the merchant account is live. Only a few processors have the technical ability for a business to start processing immediately.)
9. Once the account goes live, and the merchant’s processing system is setup, they can now process credit cards.

In the end, a considerable amount of human work needs to be done for a merchant account to get setup properly. Any problem or error at any step of the process can greatly delay the merchant account getting setup. Unfortunately, there is little ability for automation to occur through the application process. Even though, technically it makes sense to create an automated system, one of the main purposes of this process is to prevent fraud. Computer algorithms score application for fraud, but it must be a human to make the final decision.