Information on Merchant Accounts,
Ecommerce and Credit Card Processing

October 31st, 2006 by Jamie Estep

PCI and Data Security Blogs

Filed in: Merchant Accounts | 1 comment

From a recent visitor’s comment, I found several notable blogs relating to PCI and data security, and wanted to share them.

First off, the PCI and Data Security Compliance blog is a well written and frequently updated blog that covers a lot of PCI related information. Much of the information is very tech related and may be a little too technical for the average business / website owner, but there is still a lot of useful, understandable information, to be found on the blog.

Another blog the PCI DSS blog, run by James DeLuccia IV takes a thorough look at just about every aspect of data security. Topics range from business ROI in regards to data security, and changes in PCI compliance requirements, to information about the PCI security standards council. Again, some of the posts are very technical, but there is a lot of great information written from someone that really knows about data security.

I have also added a data security section to the sidebar of this blog, that I will be adding useful data security related resources to.

October 25th, 2006 by Jamie Estep

Required Actions for PCI Compliance

Filed in: Ecommerce, Fraud, Merchant Accounts | 2 comments

If you accept credit card online, this chart is for you. This chart is a simple breakdown of the PCI data compliance levels and requirements. If you accept transactions online, you fall into one of these levels. This chart explains what the requirements are to be in a specific category, and what a merchant must do to remain compliant.

The yearly cost for a level 2, 3 or 4 merchant is around $150, while the yearly cost for a level 1 merchant is more than $30,000. Because of this, it is extremely important not to ever have a data compromise. I personally recommend not storing any sensitive data online, at all, and if it is stored offline, access should be highly restricted and the data should be encrypted. Track data should never be stored anywhere, under any circumstance.

If you have a data compromise and card holder data is stolen, you should expect upwards of $100,000 in fines, arbitration fees, and regulations in addition to the additional cost of level 1 PCI certification.

Level 1 Definition:
  • Over 6 million annual Visa or MasterCard Transactions
  • Any merchant suffered a hack or attack that resulted in a data compromise
  • Any merchant that card associations, at their discretion, determine should meet requirements
  • September 30, 2004 (1 year for new Level 1 merchants)
Level 2 Definition:
  • Visa: 1M – 6M annual transactions
  • MC: 150K – 6M annual transactions
  • Self assessment questionnaire and Quarterly vulnerability scan by approved scanning vendor
  • June 30, 2005 (Sep 30, 2007 for new Level 2 Visa merchants)
Level 3 Definition:
  • Visa: 20K – 1M annual transactions
  • MC: 20K – 150K annual transactions
  • Self assessment questionnaire and Quarterly vulnerability scan by approved scanning vendor
  • June 30, 2005
Level 4 Definition:
  • Less than 20K ecommerce or 1M total Visa and MC transactions
  • Self assessment questionaire and Quarterly vulnerability scan by approved scanning vendor
  • Dates determined by merchant’s acquirer

Related Posts:
Scan Alert PCI / CISP
A Guide to Small Business Security, Free PDF Download…
CISP, SDP, PCI Compliance required for every business…

October 25th, 2006 by Jamie Estep

Do you really need a POS system to accept credit cards?

Filed in: Credit Card Equipment | 1 comment

The computer industry constantly pushes the idea that everyone needs the latest and greatest computer in existence, when something for 1/10th of the price would be perfectly sufficient for most people. The credit card processing industry, especially in the retail and restaurant fields, often works similarly, where business owners are frequently convinced that they need some extravagant processing system in order to accept credit cards.

If you own a business, the last thing you want to be worrying about it whether your credit card processing system is going to work. It should be pretty much a rock solid, reliable system. Despite the price, the more complex systems out there can be the least reliable.

POS and complex processing systems are very difficult to setup, and difficult to maintain. If there are problems, support is often hard to get, complicated, expensive and time consuming. I have seen a software company take over 2 months to properly setup their system with a customer of mine. This system cost over $10,000 just to setup and it was constantly breaking. When you get a POS system, any support for your equipment, goes to the POS company and not your merchant service provider.

This situation is not uncommon for many restaurants and businesses with these expensive systems. What these businesses didn’t believe was that a simple credit card machine for $300 and a cash register for $800 would have been a much more cost effective system, that would have been minutely less efficient, but much easier to use. That $9,000+ difference in price will never be made up using that expensive system.

POS and complex processing equipment has its place:
There is no doubt that POS systems have their place with some businesses. Businesses with huge inventories would be completely lost without them, as would extremely high volume, complex menu, or high speed restaurants.

For many smaller retail and restaurants, especially start-ups, it’s just overkill!

What you do need:
I know restaurants that process over $5,000,000 per month in credit cards, and they use 5 impact cash registers and 5 Hypercom T7 Plus credit card machines. While this may not quite meet the demands of your business, you should carefully weigh your options before making your decision. Do you really need to spend thousands of dollars on something that may not help you in the long run. Find a system that is able to grow as the needs of your business grow. If you do opt for a complex processing system, make sure you aren’t going to need to replace it any time soon, and that it is very well supported. Replacing a credit card machine is cheap, but replacing a POS system is not. Also, don’t forget to take into account the time it takes to train an employee on how to use your system. A credit card machine only takes about 10 minutes to learn the basics, a POS system could take 10 hours or more.

Especially in the case of a start-up business, the money spent on a complex, expensive system is almost definitely better suited elsewhere. Don’t believe a salesman that tries to convince you that you need their system just because they say you do or throw some charts at you. As long as your processing method works smoothly and securely, your customers will not know or care what you are using to process their card. Only you can determine if you need that expensive system. If you’re in doubt, opt for the cheaper method and upgrade later.

Finally: Ask yourself if you really need all of the features, and if you really can justify the cost before buying into any expensive processing or other business equipment. Is your business better off spending that $10,000 elsewhere and upgrading later?

October 19th, 2006 by Jamie Estep

Visa publishes interchange fees

Filed in: Merchant Accounts | 1 comment

As expected, Visa followed the suit of MasterCard and announced that they will publish their interchange fees. They also went ahead and published them.

Visa Interchange Fees Pdf

Unfortunately, the act of making interchange public does nothing to lower processing fees. Card issuing banks will need to lower the interchange for it to have any affect on businesses processing fees. To see who actually collects the fees check out: Merchant Account Fees, Credit Card Interchange – Who are you really paying?

If you haven’t been following the Visa and MasterCard current events, here are a few posts to catch you up:
Visa is going public
Mastercard to publish interchange rates

October 17th, 2006 by Jamie Estep

Google Checkout Review

Filed in: 3rd Party Processors |

I have had Google checkout on my main ecommerce website for about 3 weeks now. In the first week we had one Google checkout order, making the entire idea hardly worth the effort. If not for the AdWords Google checkout badge Google Checkout Badge, we probably would have stopped using it altogether.

Week two and three offered a completely different experience. Google checkout orders jumped up to one or more per day, and have passed paypal in percentage of orders on the website. This is something that I would not have thought possible.

I haven’t determined whether normal credit card paying customers, just diverted to using Google checkout, or these customers were actually looking for a store that accepted Google checkout, as sales haven’t increased proportionally. But either way, people are willing to use Google checkout. A lot of these purchases were for fairly high dollar transactions, so there is definitely a degree of trust that rarely exists with any new system.

Anyone in an industry where you have a good chance of getting tech savvy buyers, may want to look again at using Google checkout, as there definitely are people who make purchases with it.

Original Post: Google Checkout vs. Everything else…

October 11th, 2006 by Jamie Estep

Visa is going public

Filed in: Industry News | 2 comments

Following the lead of MasterCard, Visa announced today that they are restructuring their company on a global scale including an IPO for the American branch of Visa.

Visa announced today that it intends to restructure its organization in order to create a new public global corporation called Visa Inc. As a part of this restructuring, Visa Europe will remain a membership association, owned and governed by its European member banks, and become a licensee of Visa Inc. Visa expects the proposed restructuring will best position the company to meet the evolving needs of its customers and will accelerate its growth by improving organizational efficiency, addressing certain legal claims that exist in some markets, and increasing access to capital.

MasterCard’s IPO was extremely successful, more than anyone thought, and Visa has the ability to make a lot of money with a public offering. This money will definitely be partly used as padding for a plethora of major upcoming lawsuits, that could cost Visa hundreds of millions.

Subsequently, MasterCard reported a drop in their stock almost immediately after Visa announced its new plan. MasterCard stock has been assumed to be high above its actual value, and this could trigger the beginning of a slump for MasterCard. – Visa Announces Global Restructuring

October 4th, 2006 by Jamie Estep

A list of payment gateways

Filed in: Ecommerce | 3 comments

I just compiled a list of commonly used payment gateways.

I added my recommendation and a quick price comparison for the more popular payment gateways. Check it out, and let me know if I missed any major gateways.

October 2nd, 2006 by Jamie Estep

Google Checkout vs. Everything else…

Filed in: 3rd Party Processors, Ecommerce | 6 comments

Google recently released their payment systems called Google checkout. Google checkout is a fairly easy to use merchant account alternative for businesses and individuals. Google checkout offers very low fees for use, and can be completely free, if a business advertises using Google AdWords. For every $10 a business spends in AdWords advertising, they get $1 free in processing fees.

Google Checkout Implementation:
Despite what Google would like everyone to think, Google checkout is not easy for websites to implement. With the exception of a few very simple and limited uses, it is not easy to get Google checkout into an existing website, especially if the website is using a custom shopping cart system. The Google checkout API is an XML based system and is not something that most beginning programmers could easily tackle. Google does provide a handful of good scripts, but even with these, integrating Google checkout can be a daunting task. The integration scripts can be obtained by signing up for an account with the Google sandbox.

The current requirements to be eligible for the Google checkout program are a US bank account. Google is planning on making Google checkout available to more countries, but for the time being US is the only country allowed. This single fact is probably one of the biggest reasons that Google checkout isn’t more popular.

The benefits of Google checkout:
The biggest benefit right now that I see with Google checkout is for AdWords advertisers. AdWords advertisers get to display a small Google Checkout Badge next to their AdWords listings. This small image could definitely help distinguish a particular AdWords ad from the others, creating a high click through rate. Since most web users have no idea what Google checkout is, this could be taken as an unfair advertising advantage to Google Checkout customers.

The use of Google checkout on a consumer level is very limited. It is slowing growing in usage, but at this time is not a widely adopted payment method. Expect the number of consumers using Google checkout to grow over time, but unless Google really makes it beneficial for consumers, it is unlikely that Google checkout will ever compete with Paypal or Credit Cards.

I am a firm believer in making the online shopping experience as easy as possible for website shoppers and this includes making all popular payment methods available to website visitors.

The negatives of Google checkout:
The biggest complaint that I have, apart from the difficult integration, is that Google requires website’s using Google checkout to display Google checkout buttons all over the website. There are also a ton of regulations that are simple unnecessary.

Display a Google Checkout button immediately beside, above, or below every existing checkout button or link on your website.

Lets be honest here. Google is really turning off the desire to use Google checkout by forcing Google checkout users to place large Google buttons all over a website. It’s also against policy to host the Google checkout images yourself, and it is against policy to alter the images (including resizing) in any way.

Google needs to have some consideration for website owners wanting to maintain the integrity of the look of their websites. Not many respectable websites want to have Google checkout buttons all over the place. Obviously Google doesn’t care about this, because they just want more users at this time. Another deterrent to putting Google checkout on your site.

The other major problem with Google checkout, is that it is not an accepted or allowed payment method with eBay. This means that it is against eBay policy to pay or offer to accept Google checkout on an eBay auction, and doing so can result in getting suspended, or banned. Any Google checkout purchase made on an eBay auction, immediately removes all eBay buyer and seller protection. If you get ripped off as a buyer or seller, there is no recourse.

If you are an AdWords customer, and you sell products, then Google checkout is a good system. You can get that little Google Checkout Badge next to all your AdWords listings, and this is bound to help your AdWords click rate.

As for businesses just looking to accept Google checkout from their customers, my vote goes for hold off. There are simply not many people wanting to pay with Google checkout. The amount of purchases from Google checkout customers isn’t going to be worth the trouble to integrate it into your website, and wont be worth clogging up your website with a bunch of ugly Google checkout buttons designed to circumvent your existing checkout process. Anyone that uses Google checkout also has a credit card, and most likely has a paypal account. If you’re going to add another payment option for your customers, go with paypal. Wait until Google gets some people using it, wait for them to relax on their rules, and wait for it to be allowed on eBay.

The Google Checkout Blog has some good information about the Google checkout program, but expect it to be extremely biased as it is a Google blog.

Related Posts:
Google Checkout Sign-up Open
Google Payments, Update

September 19th, 2006 by Jamie Estep

Visa Security Alert Released

Filed in: Industry News |

Visa has just issued a security alert relating to the storage of magnetic stripe data.

Visa is aware of compromises of credit and debit card account information resulting from the improper storage of magnetic stripe data (“track data”) after transaction authorization is completed. Track data refers to the information encoded in Track 1 and 2 contained within the magnetic stripe on the back of a payment card.

This information is received by a merchant’s point-of-sale (“POS”) system when a payment card is swiped through a terminal. Some merchant POS systems improperly store this data post authorization in violation of longstanding Visa USA Operating Regulations. Hackers are aware of this vulnerability and are targeting vulnerable POS systems to steal this information.

Download the security report on the download page or here.

September 14th, 2006 by Jamie Estep

A credit card terminal from First Data (FD-100)

Filed in: Credit Card Equipment, Merchant Accounts | 22 comments

FDMS recently came out with their own credit card terminal called the FD-100.

The FD 100 Credit card terminalThe FD-100 is a small simple credit card terminal that is poised to become a major competitor on the counter top of companies processing on First Data platforms. First Data is by far the largest processor in the US, making this terminal available for a large number of businesses.

What sets the FD-100 apart from the competitors is the advanced features at a very low price (Most likely around $200). While it is lacking an internal pinpad, it has a touch screen, and comes with the ability to process over the internet (IP capable) right out of the box, with a seperate WiFi module available for WiFi wireless processing. The printer is a quick 15 lines per second thermal printer, using a standard paper size. The terminal itself supports recurring billing, has a built-in function to process corporate cards, automatically prompting for the extra required information. The terminal is compatible with gift card and check service programs, including telecheck. The terminal has tip applications for restaurants, can be setup with automatic gratuity, has a open/close tab option for bars or restaurants, and can be programmed with gratuity recommendation lines for customer receipts. The memory will store up to 450 credit transactions, and the terminal stores the previous 8 batch information for quick reference.

The FD-100 is currently supported on the FDMS Nashville platform, and will be certified on the FDMS Omaha platform in a few weeks (FDMS Platform information).