Information on Merchant Accounts,
Ecommerce and Credit Card Processing

November 21st, 2006 by Jamie Estep

Integrate a website with

Filed in: Ecommerce, Merchant Accounts |

The merchant account services blog, just came out with a guide on integrating a website with

The guide is written for websites using PHP 5, Curl, and SSL to connect a website to using the API method (Known as AIM with

PHP 5 is required for this particular script. There are several PHP 5+ functions that will make the script completely incompatible with PHP 4. Unfortunately a good percentage of servers are still using PHP 4. Apart from that, it looks like this guide should be all that a developer needs to successfully integrate into a shopping cart system.

I really like the feature where the script automatically retries a transaction 3 times if there is an error. This can be common with payment gateways, and it’s definitely not good to return an error or declined message if you absolutely don’t have to. The script also validates the card number using a simple version of the LUHN algorithm to verify the card number against a check-sum, in addition to performing basic card number and expiration date checks.

When it’s all said and done the script will return an approved, error or declined message for your customer’s transaction, and you can send them to whatever page or message on your website that you want.

This script is complete, but I don’t think that a new programmer should change anything they don’t understand, because they have the potential to open security holes if their programming gets broken. This is especially important since this script will transfer sensitive information across web servers.

There are a variety of free and paid scripts out there, but this one is written by a competent group of individuals that have extensive knowledge of payment processing, web development, and web security, so I highly recommend it.

Check it out:
Integrate the Payment Gateway with PHP

November 17th, 2006 by Jamie Estep

Why paypal will never replace merchant accounts!

Filed in: 3rd Party Processors | 3 comments

I have sold a lot on eBay, probably over $300,000 worth of merchandise over the past six years through my company’s sales and through personal auctions. Due to the nature of eBay I have accepted most of this money using paypal.

Recently I started few auctions on eBay and collecting payment through paypal. I haven’t sold much on ebay in several months. Paypal subsequently froze my account, and wont release he funds (We’ve all heard this story about one million times). This isn’t the first time it has happened to me with paypal. I had a lot of money frozen last year, which took a while to clear up, but I got my account un-frozen after a few days of sending documents to paypal. This time was a completely different story. I think that I may have had either a complete imbecile review the information I submitted, or maybe he was just having a bad day or something. But, Paypal wont un-freeze my account until I send them some documents that I don’t have, and cant get, and there isn’t anything else they will do for me. I understand risk, how to determine it, what situations are higher risk, and this is not one of those situations.

The irony behind all of this is that I run a division of a payment processing company. I have experience in risk management and underwriting, probably more than most of the people working in that department at paypal. I am selling tangible products. I haven’t even processed a large sum of transactions, under $5,000 total.
But, they don’t care.
They don’t care that my customers will back me up and let paypal know personally that my products were legitimate. They don’t care that I have a processing history with paypal of over $200,000 in past transactions without more than one or two frivolous disputes. They don’t care that I have processed over 2,000 transactions using paypal. They don’t care that my company is a merchant account provider that has been in business for 10 years. They just don’t care…

I see the question often whether companies like mine are worried about companies like paypal. The answer is NO. Not in the least bit. Not now, and probably not ever.

Paypal, you have a long way to go.

There are several ways that this situation differs from an actual merchant account. First off, this situation can happen with a merchant account, so don’t think that paypal is completely unique. The two main reasons would be, if a business processes a much higher total volume than what they stated on their application, and if they run much larger transactions than what they stated as their average on their transaction. The specific processing bank that a business is with also determines how much buffer they have to go over their predicted volumes.

Now for the differences:
With a merchant account, you can actually get a person on the phone within 5 minutes, or even 10 minutes. Paypal (-5). Secondly, you can usually talk to someone that actually has a clue about what is going on or at the least they will try to figure it out, and they will actually listen to you and not just look at a report that says ‘freeze’. Paypal (-5)
With a merchant accounts, your provider actually wants to keep your business, (Paypal -2) and they work with you to clear up the problem. (Paypal -1) You are given the benefit of doubt that this could possibly be just good sales. (Paypal -5) Paypal immediately assumes that you are a criminal and then works against you trying to prove you wrong. (Paypal -5)

The risk management business for merchant services is as strict and numbers based as any screening system I have seen, but it doesn’t touch upon the bureaucratic chaos that paypal operates.

Basically, paypal fails because the way they handle these situations. They fail to give you the support that you need, when they took the steps to freeze your account. At least make it easy to contact a real person to clear up the situation, or get some additional information. The only communication they accept is by fax. Lets be realistic here, last time I checked, fax was not considered a secure, efficient, or easy way to communicate with someone.

Finally, paypal needs to get some policies in place to help the people that they make their paychecks from when those people do get in situations like these.

November 16th, 2006 by Jamie Estep

First Data’s FD 100, Not as cheap as planned

Filed in: Credit Card Equipment | 10 comments

Originally First Data released an initial price of the new FD-100 terminal to be around $200.

Sadly, I learned a few days ago that this was a completely incorrect initial statement. The actual price of the FD-100 is most likely going to be in the $400 – $500 price range.

To me this is quite a lot of money for a terminal that can only be used on FDMS processing platforms. Yes, the terminal does have a ton of features, but some like USB ports aren’t able to be used by the majority of peripherals. The original $200 tag was low enough that it made the terminal worth the cost despite the drawback of being proprietary. I imagine that the $500 version is going to be much more difficult to push into the marketplace, when terminals like the Omni 3750, Hypercom T4100 and a few Nurit terminals have the same features, at a lower price, and they can be used with any processor.

The original FD100 post

November 15th, 2006 by Jamie Estep

Merry Christmas, Return Fraud and the Holidays

Filed in: Fraud |

Caught StealingWith the busiest shopping season for many retail and internet merchants right around the corner, businesses are prepping for the holiday chaos. The busy shopping season also brings the largest season for consumer fraud. Consumer fraud against merchants including ‘return fraud’ costs businesses billions of dollars a year.

With an estimated 3.5 Billion dollars of return fraud during this holiday season, it is very likely that most businesses will be affected by return fraud in some way.

What is return fraud?

Return fraud is when a consumer returns merchandise to a store, with a purpose other than a genuine return. I did some research on return fraud, and found a couple of main types of return fraud that businesses will see.

Returning multiple items on the same receipt is when a customer will return a quantity of an item on a single receipt, by making multiple copies of the receipt. They may purchase additional items at discount and then return them to another store with high prices using fake receipts.

Returning a lower priced item in a higher priced item’s packaging. This would occur when a customer purchases two similar looking items at a very different price. The customer would then put the lower priced item in the higher priced package, return it and keep the higher priced item for themselves.

Renting Stuff is a very common type of fraud for electronic and clothing retailers. A customer will buy some electronic device, or some piece of expensive clothing, use it and then return it. Businesses usually cant sell the returned goods for full price, and take a loss when they discount it. This is more common with higher dollar merchandise.

Stolen Merchandise Returns occur when someone tried to get a refund on merchandise that was stolen, often from the same business the return is taking place at. Employees may also steal merchandise and then have an acquaintance return it for cash.

Counterfeit Money actually tops the entire list of the most common form of return fraud, and can consist of fake checks, or counterfeit cash used to pay for merchandise, and then later the customer tries to return it for real cash.

Employee return credit fraud is one of the most common types of fraud that exists. An employee will issue a credit on their own, or a friend’s credit card through a business’s credit card terminal. This is often overlooked by managers or employers as it can appear as a legitimate refund.

How return fraud costs a business:

Businesses lose to return fraud in several ways. They may be buying merchandise that they never sold, or that was stolen from them.

Businesses may not be able to resell the merchandise that was returned if it were heavily used, or it was simply something that cannot be resold.

A business may be making a payment to one of their employees, or may be loosing money by accepting a deceptively returned product.

Ways to combat return fraud:

A business should have a very clear return and refund policy outlined for their customers, and they should stick to it. I think it should be fair, as there are situations where returns are completely legitimate, but strict enough to stop some of the fraud that is likely to occur.

Businesses should not accept returns without a receipt, and if they do decide to accept a return without a receipt, store credit should be issued instead of cash. Also, if a customer made a purchase with a debit or credit card, the return should always be credited to that exact card. This is also an important chargeback prevention measure. If a business gives cash and then the customer charges back a transaction, the business can lose the chargeback in addition to the money they already refunded.

Implementing a system that keeps track of returned receipt numbers will prevent fraud from copied receipts. For some businesses this may not be a cost effective option, but some system should be used to keep track of returns in the event that electronic means are unavailable.

Employee return credit fraud can be combated by having a business’s credit card machine or POS system to require a password or key to perform a return. Most credit card machines and POS systems can be setup with some type of security to prevent this type of fraud.

Return fraud normally occurs on Friday, Saturday, and Sunday.
Since these are the busiest shopping days, fraudsters go because there is a good chance that their return will be overlooked.

Who’s a target?
The biggest targets of return fraud aren’t necessarily large retailers, as these companies often have complex returning systems designed to prevent return fraud. Target now only allows two non-receipt returns per year, per customer, and many other super retailers are taking similar measures. Take the time to look at your current setup and determine if you are a possible target of return fraud.

Your customers make your business possible, but not every person who visits your store is doing it for legitimate purposes. It is always a good practice to make customers happy, but care should be taken that a business isn’t being taken advantage of in the process.

November 7th, 2006 by Jamie Estep

The Merchant Account Search Engine

Filed in: Merchant Accounts |

Well, I had to jump on the bandwagon even though I’m a little late.

Google released their custom search engine last month, and I have finally gotten around to making a merchant account search engine. So far I have compiled a search engine of a little more than 40 websites and pages around the internet that offer useful, accurate and relatively un-biased information about merchant accounts.

Check out the Merchant Account Search Engine.

Some of the sites that the search engine searches are this blog, the merchant account services . org website and blog, Visa, Mastercard’s Merchant Center, Amex, a few Wikipedia pages, most of the other blogs listed in my sidebar, several online discussion forums, and a bunch of other useful sites that I haven’t listed or talked about much here.

Let me know if you have a good resource related to merchant accounts or ecommerce and I will add it to the search engine. Any site will help as long as it is mainly an information resource, is accurate, free and is not a copy of something that I already have. The lineup is expected to change as some of these sites have way too much useless information that just clogs up the custom search engine.

November 2nd, 2006 by Jamie Estep

How long does a credit card machine last?

Filed in: Credit Card Equipment | 6 comments

I sell several thousand credit card machines through the company website each month, and one of the most common questions is regarding the warranty on a credit card machine, and how long will a terminal last. Verifone and Hypercom offer 5 Year terminal warranties (1 year on the printer) and Lipman offers a 1 year warranty on their terminals.

Broken Credit Card TerminalHow long should a credit card terminal last?

A warranty for a credit card terminal will cover any manufacturer defects with the terminal. Luckily, 99% of the time any defects are found within a week or two of using a terminal, as something that is going to fail is almost always going to fail early on. Thanks to the lack of advanced electronics in most credit card terminals, they are extremely reliable and will operate for many years under normal conditions.There are many terminals in operation today that are over 20 years old. Early Tranz and Zon series terminals, which were originally manufactured in the early 80’s are still working strongly, and are probably the most reliable terminal that have ever been made.

As long as any manufacturer defects are discovered early on, the terminal itself can fairly easily last 6 years or more. The expected life on a credit card terminal from the manufacturer is normally about 100,000 hours. With less than 10,000 hours in a year, the lifespan of a terminal should be around 10 years. The main reason that terminals don’t last this long, is that they are heavily used, dropped, or abused which reduces their life. Things like spilling a soda on the terminal, or dropping it on the floor will almost always drastically reduce the life of a terminal, if it doesn’t break it completely.

Maximizing the life or your terminal:
For a short period of time, liquids or physical shock are the most damaging things to a credit card machine. Looking at a terminal over time, heat, dirt and debris will reduce the overall life of your terminal.

Keep the terminal clean and avoid spilling food and especially liquids on it. Try to keep it in an area where there is adequate airflow, and someone where it wont get bumped or dropped.

Heat kills electronic equipment, and some of the components in a terminal can get fairly warm. Over time this degrades the internal components of the terminal, and will reduce the overall lifespan of the electronics. Try not to keep the AC adapter directly next to the terminal as it is probably the hottest part of the terminal. Also, try not to put the terminal in the exhaust path of a cash register or computer as these can produce a lot of heat that gets blown directly into the terminal.

If you do spill a liquid on it, immediately unplug it and call you processor for cleaning instructions. Normally drying it out and cleaning some of the parts with a mild isopropyl alcohol and water solution will fix it, but contact you provider or you may void your warranty or break your terminal by improperly cleaning it. Also, some terminals have intrusion prevention devices that will cause your terminal to be inoperable if it is opened, so don’t actually disassemble your terminal. The bottom line is that if you spill something on it, unplug it and call your processor’s technical department.

November 1st, 2006 by Jamie Estep

Mastercard Finally Publishes Interchange

Filed in: Merchant Accounts |

Mastercard has finally published their interchange rates. Visa beat Mastercard to publishing interchange rates, even though Mastercard made the initial announcement a few months ago, about a month before Visa.

An expected backlash against Visa for having such a complicated interchange schedule came almost immediately after the release. Mastercard’s rate schedule is 72 pages long, making Visa’s 5 page report fairly mild in comparison.

Best of luck to anyone trying to completely decipher this monster.

Related Posts:
Visa publishes interchange fees
Visa is going public
Mastercard to publish interchange rates

October 31st, 2006 by Jamie Estep

PCI and Data Security Blogs

Filed in: Merchant Accounts | 1 comment

From a recent visitor’s comment, I found several notable blogs relating to PCI and data security, and wanted to share them.

First off, the PCI and Data Security Compliance blog is a well written and frequently updated blog that covers a lot of PCI related information. Much of the information is very tech related and may be a little too technical for the average business / website owner, but there is still a lot of useful, understandable information, to be found on the blog.

Another blog the PCI DSS blog, run by James DeLuccia IV takes a thorough look at just about every aspect of data security. Topics range from business ROI in regards to data security, and changes in PCI compliance requirements, to information about the PCI security standards council. Again, some of the posts are very technical, but there is a lot of great information written from someone that really knows about data security.

I have also added a data security section to the sidebar of this blog, that I will be adding useful data security related resources to.

October 25th, 2006 by Jamie Estep

Required Actions for PCI Compliance

Filed in: Ecommerce, Fraud, Merchant Accounts | 2 comments

If you accept credit card online, this chart is for you. This chart is a simple breakdown of the PCI data compliance levels and requirements. If you accept transactions online, you fall into one of these levels. This chart explains what the requirements are to be in a specific category, and what a merchant must do to remain compliant.

The yearly cost for a level 2, 3 or 4 merchant is around $150, while the yearly cost for a level 1 merchant is more than $30,000. Because of this, it is extremely important not to ever have a data compromise. I personally recommend not storing any sensitive data online, at all, and if it is stored offline, access should be highly restricted and the data should be encrypted. Track data should never be stored anywhere, under any circumstance.

If you have a data compromise and card holder data is stolen, you should expect upwards of $100,000 in fines, arbitration fees, and regulations in addition to the additional cost of level 1 PCI certification.

Level 1 Definition:
  • Over 6 million annual Visa or MasterCard Transactions
  • Any merchant suffered a hack or attack that resulted in a data compromise
  • Any merchant that card associations, at their discretion, determine should meet requirements
  • September 30, 2004 (1 year for new Level 1 merchants)
Level 2 Definition:
  • Visa: 1M – 6M annual transactions
  • MC: 150K – 6M annual transactions
  • Self assessment questionnaire and Quarterly vulnerability scan by approved scanning vendor
  • June 30, 2005 (Sep 30, 2007 for new Level 2 Visa merchants)
Level 3 Definition:
  • Visa: 20K – 1M annual transactions
  • MC: 20K – 150K annual transactions
  • Self assessment questionnaire and Quarterly vulnerability scan by approved scanning vendor
  • June 30, 2005
Level 4 Definition:
  • Less than 20K ecommerce or 1M total Visa and MC transactions
  • Self assessment questionaire and Quarterly vulnerability scan by approved scanning vendor
  • Dates determined by merchant’s acquirer

Related Posts:
Scan Alert PCI / CISP
A Guide to Small Business Security, Free PDF Download…
CISP, SDP, PCI Compliance required for every business…

October 25th, 2006 by Jamie Estep

Do you really need a POS system to accept credit cards?

Filed in: Credit Card Equipment | 1 comment

The computer industry constantly pushes the idea that everyone needs the latest and greatest computer in existence, when something for 1/10th of the price would be perfectly sufficient for most people. The credit card processing industry, especially in the retail and restaurant fields, often works similarly, where business owners are frequently convinced that they need some extravagant processing system in order to accept credit cards.

If you own a business, the last thing you want to be worrying about it whether your credit card processing system is going to work. It should be pretty much a rock solid, reliable system. Despite the price, the more complex systems out there can be the least reliable.

POS and complex processing systems are very difficult to setup, and difficult to maintain. If there are problems, support is often hard to get, complicated, expensive and time consuming. I have seen a software company take over 2 months to properly setup their system with a customer of mine. This system cost over $10,000 just to setup and it was constantly breaking. When you get a POS system, any support for your equipment, goes to the POS company and not your merchant service provider.

This situation is not uncommon for many restaurants and businesses with these expensive systems. What these businesses didn’t believe was that a simple credit card machine for $300 and a cash register for $800 would have been a much more cost effective system, that would have been minutely less efficient, but much easier to use. That $9,000+ difference in price will never be made up using that expensive system.

POS and complex processing equipment has its place:
There is no doubt that POS systems have their place with some businesses. Businesses with huge inventories would be completely lost without them, as would extremely high volume, complex menu, or high speed restaurants.

For many smaller retail and restaurants, especially start-ups, it’s just overkill!

What you do need:
I know restaurants that process over $5,000,000 per month in credit cards, and they use 5 impact cash registers and 5 Hypercom T7 Plus credit card machines. While this may not quite meet the demands of your business, you should carefully weigh your options before making your decision. Do you really need to spend thousands of dollars on something that may not help you in the long run. Find a system that is able to grow as the needs of your business grow. If you do opt for a complex processing system, make sure you aren’t going to need to replace it any time soon, and that it is very well supported. Replacing a credit card machine is cheap, but replacing a POS system is not. Also, don’t forget to take into account the time it takes to train an employee on how to use your system. A credit card machine only takes about 10 minutes to learn the basics, a POS system could take 10 hours or more.

Especially in the case of a start-up business, the money spent on a complex, expensive system is almost definitely better suited elsewhere. Don’t believe a salesman that tries to convince you that you need their system just because they say you do or throw some charts at you. As long as your processing method works smoothly and securely, your customers will not know or care what you are using to process their card. Only you can determine if you need that expensive system. If you’re in doubt, opt for the cheaper method and upgrade later.

Finally: Ask yourself if you really need all of the features, and if you really can justify the cost before buying into any expensive processing or other business equipment. Is your business better off spending that $10,000 elsewhere and upgrading later?