Information on Merchant Accounts,
Ecommerce and Credit Card Processing

April 5th, 2006 by Jamie Estep

Payment processor fears credit card crooks

Filed in: Fraud, Industry News |

Several Web hosting companies that use the Authorize.Net service to accept credit cards online saw a sudden spike in transactions over the weekend. The transactions, most for $500 and $700, were billed to Visa, MasterCard and American Express cards that belong to people across the U.S., representatives for three Web hosts told CNET

The Web hosting companies discovered the unusual charges through e-mail alerts that Authorize.Net sends after each transaction. Close to 3,000 suspicious transactions were pushed through the merchant accounts of three companies with which CNET spoke, and more likely happened at other Web hosts, these three companies said.

On Sunday morning, in about an hour-and-a-half time period, fraudsters ran close to 1,500 transactions through the Authorize.Net account of Defender Technologies Group, a Web host in Ashburn, Va., said Tom Kiblin, the company’s CEO. “It was just under $1 million that got put through on our account,” he said. Kiblin says he has reported the matter to the U.S. Secret Service.

This sounds like a really bad credit card fraud case, but looking at the situation positively, the business caught the huge amount of fraudulent charges before it became an even bigger problem. If these credit card numbers were obtained from a single source, there should be very little trouble finding where the data was lost at. Visa and MasterCard have systems dedicated to tracking down the source of a loss of information, by matching similarities in charges on different credit cards.

Full Article –

April 4th, 2006 by Jamie Estep

A Guide to Small Business Security, Free PDF Download…

Filed in: Ecommerce, Fraud, Guides, Merchant Accounts, My Favorite Posts |

The BBB has co-authored a guide to help small businesses be secure and to help protect user privacy. This is an excellent guide for any small business. It was sponsored by Visa, IBM, Equifax, Verizon, The Wall Street Journal, Ebay, and Paypal. We support and recommend these practices in every way.

Small Business Security

Please click on the link to view the PDF, or download the ZIP version to your computer.
Guide to Small Business Security PDF
Guide to Small Business Security ZIP Download

April 3rd, 2006 by Jamie Estep

CISP, SDP, PCI Compliance required for every business…

Filed in: Ecommerce, Fraud, Merchant Accounts, My Favorite Posts |

CISP LockSDP /CISP / PCI is a standard that many businesses must adhere to to help protect consumer data. CISP (Cardholder Information Security Program) is a Visa security standard that is designed to help protect all levels of business from fraud and loss of data. MasterCard has a similar program called SDP (Site Data Protection). CISP / PCI is a standard that is designed to help secure and protect sensitive data specifically relating to the payment card industry. CISP compliance extends beyond online businesses and applies to Retail (brick-and-mortar), and Moto (keyed entry) businesses in addition to ecommerce. CISP compliance is outlined here rather than the SDP program because it is more restrictive and better organized.

PCI / CISP is designed to be implemented by any businesses that accepts of facilitates credit card transactions or the handling of sensitive credit card and user information. Businesses that do not store or handle credit card information, are not subject to CISP regulations.

Visa: Note that these Payment Card Industry (PCI) Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit card-holder data. Additionally, these security requirements apply to all “system components” which is defined as any network component, server, or application included in, or connected to, the card-holder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including internal and external (web) applications.

PCI / CISP Basic Requirements:

  1. Install and maintain a firewall configuration to protect data.
  2. Do not use vendor-supplied defaults for system passwords and other security parameters.
  3. Protect stored data.
  4. Encrypt transmission of card-holder data and sensitive information across public networks.
  5. Use and regularly update anti-virus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to card-holder data.
  10. Track and monitor all access to network resources and card-holder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.

If you read the full CISP manual, you will find that each requirement is broken into several sub-requirements. CISP attempts to leave no stone unturned and no margin for error.

How To Implement PCI / CISP:
Most of the CISP requirements are simple common sense. CISP is heavily geared toward websites and other easily accessible systems where there is a huge potential for a loss of sensitive data. Many of the technical issues are very complex and the requirements are very strict. I have helped to secure several web servers for CISP compliance, and to say that the requirements are strict is a gross understatement. Not only are there basic firewall and network infrastructure requirements, but there are hundreds of update, software versions, and patch requirements that must be met for a web server to be CISP compliant. A single missing software version update, or patch, or a single compromised web port, will cause a server to fail CISP compliance.

To start on the road to compliance look at the Visa PCI / CISP Pdf linked at the bottom of this document. All of the requirements are listed to be CISP compliant. After you meet all of the requirements, you will need to get with a company that certifies businesses for CISP compliance. They will normally perform a series of checks on your server, and give you the results of their inspection. The checks that they perform are essentially an attack on your web server, and they will try to exploit any known vulnerability. They also check the software, and current versions of several applications on the server making sure they are all up to the current version. You can also start by doing a scan and fix whatever areas are not up to standard.

A Warning: Make sure your web host knows that you are going to be doing these tests, or they may mistake them for a true attack.

CISP non-compliance and loss of data penalties:
The fines for not complying with CISP are low, up until there is an actual loss of data. Visa and MasterCard can shut down or fine non-complying merchants, but due to the current lack of organization and the impossibility to monitor every business and organization, larger companies are the only ones who are currently monitored. It is the responsibility of a business to ensure that they take the steps to become CISP compliant. If a business is not CISP compliant and a loss of data occurs, there is a $500,000 fine from Visa alone for loosing data and an additional $100,000 fine just for not being CISP compliant. $600,000 for not-becoming CISP compliant and loosing data because of it, and this applies for any business that accepts credit or debit cards. A single credit card number that is lost and is traced back to a business is considered a loss of data.

Apart from the monetary penalties, it never looks good when a business looses data. News agencies jump on these stories, and instantly make a business look like a criminal organization. I’m sick of reading about them, and I’m sure you are as well, so protect your data.

I personally don’t recommend storing credit card numbers at all in an online database. Not only is the CISP compliance very difficult to achieve, but it just isn’t a safe practice. If card information is stored online, it must also be encrypted so that if there is some sort of data loss, the data will be useless. Even with CISP compliance it is still possible for someone to gain access to a server. No matter how secure something is, there is almost always a way for the system to become compromised. Also for retail businesses, employees are one of the largest causes of loss of data. Card information should only be accessible by select people that need access to it.

PCI / CISP Resources:
Visa CISP / PCI Compliance PDF
ScanAlert – PCI CISP Certification

Related Articles:
Credit Card Truncation

March 31st, 2006 by Jamie Estep

CardSystems Security Breach Settlement

Filed in: Industry News |

CardSystems gained notoriety last year when they experienced that largest loss of financial and credit card date in history. As many as 40 million credit card numbers were compromised after CardSystem’s database was hacked. The database was apparently unencrypted resulting in a potential total loss of customer information.

CardSystems was acquired by pay By Touch shortly after the incident and CardSystems subsequent breakup. Pay By Touch must now implement a third-party managed information security program for the next 20 years.

March 28th, 2006 by Jamie Estep

Gone Phishing – Protecting yourself and identifying phishing attempts.

Filed in: Fraud | 5 comments

Paypal and other financial institution phishing is a major concern for many individuals and businesses. I personally get several hundred phishing emails per day and a huge percentage of them are ebay and paypal phishing attempts.

Phishing is type of fraud where an email is sent to a person and the sender of the email is acting like a major institution, trying to get the user to log into their website. What the person getting the email sees when they click on the link, is a duplicate of the real website, made by he person sending the email. The duplicate website will have a form that the user inputs information into, and is normally a login box. Once the user enters their information and presses submit, the information is sent to the person who sent the email. The phisher just obtained the login information from the person who was phished. They also now have full access to whatever website the user-name and password are used at. They can empty your bank account, make fake ebay purchases, or anything else that the website allows them to do, and they are doing it as you…

Phishing a normally easy to spot, but recently I have been receiving better planned and implemented websites and phishing emails.

The sure proof guide to not getting phished.
First off you need to know two things. First, reporting phishing attempts does absolutely nothing, so don’t waste your time. Phishing attempts and the website’s that go with them are almost always hijacked, so reporting them will not lead authorities or anyone else to the responsible party. Second, there is nothing you can do to stop getting phishing emails, so don’t concern yourself with that one either.

1. Don’t Click
The most important thing to do, to not get phished, is to never click on a link in an email that asks, requests, begs, prays, or anything else in attempt to get you to login or even access a website. If you need to access the website, open a new browser window, type the website address in the new window, and login to the website from there. Whether you think the email is a phishing attempt or not, this is just plain common sense to protect yourself. If you never click on a link to a phishing website, you will never be a victim of phishing fraud.
New Window

2. Delete any identified phishing emails
Identifying phishing emails can be difficult, but a few simple flags will tell a phishing email from a real email almost every time. One thing you should have is a computer based email program. Online email like yahoo or hotmail, are terrible at helping a user to identify a phishing email. If you need an online email, I recommend using gmail, which also allows POP3 access from your home computer. Use Microsoft Outlook or Outlook Express to view your gmail emails. Using Outlook or Outlook Express will allow you to view extra information that is sent with each email. Whether you use an online program or Outlook, there are several flags that will make phishing emails stand out.

  1. Email sender is not who the message is from.
    • The email sender in the header or the from box is different than who the message appears to be from. This would be like getting an email from chase bank, but in the FROM: field, Reply-To: field or in the header itself the message is from
  2. The link that the page wants you to click on is a large, fake, or obscure address.
    • A phishing email will always try to get you to visit the fake website to enter your information. When you place your mouse over the link, look at the URL that appears. Another way to view the link in a web based email is to right click on the link and select ‘copy target’ or ‘copy link location’. Then paste the link in your web browser address bar and look at the link. If the email is real, the link will be directly to the website organization. If the email is fake, it will normally have a large obscure website address.
    • Good Link:
    • Bad Link:
  3. The email ends up in your spam box.
    • As simple as it seems, emails that end up getting hit by spam filters are filtered for a reason. While recently I have been seeing phishing emails routinely make it through the most strict spam filters, the majority of phishing emails will get caught in web based, and outlook spam filters. If it goes in your spam folder, it did so for a reason, so be extra careful with that email.

3. Use a different email address if you run websites
This is targeted at webmasters and others who manage websites. If you have websites and you have customer service email addresses on them, never use those email addresses for paypal, ebay, your bank, or any other personal, financial, or access related purposes. Keep the email addresses on your websites completely independent of ones you use for paypal, ebay, etc. The reason is that, spammers get huge lists of email addresses by scrubbing websites for email addresses. They send phishing emails to the email addresses that they collect. If the phishing emails you get are sent to the email addresses that your website’s use, then you instantly know that they are fake.

4. If you click on a link, make sure you are where you should be
If you do click on a link in your email, make sure that the link sends you to the actual organization’s website and not a fake. Look at the address bar. Does it look right?
Notice how the link in the address bar is not paypal, but the page looks just like the login page. This a phishing page. Never enter your information if the address in the bar is different from the organization that you are trying to visit.

A good phishing example:
This example is one of the best phishing emails I have ever seen. It instantly made me want to click on the link. It passed every spam filter I have and if I did not know exactly what to look for in a phishing email, I could have been a victim of it.


March 24th, 2006 by Jamie Estep

MSN Money – 22 ways to foil credit card thieves…

Filed in: Industry News |

You probably won’t end up paying the bill, but a stolen credit card can still cost you big in time and aggravation. Here’s how to protect yourself online and off.

In some ways, credit card fraud isn’t the problem it’s often made out to be.

Visa says fraud accounts for about 7 cents of every $100 spent on its credit cards, an all-time low and about half the rate of 10 years ago. Add to that the fact that the major credit card companies have “zero liability” policies, which means the vast majority of consumers who are victims don’t wind up paying a dime out of their own pockets.

This is a great article targeted at consumers about how to protect themselves from credit card fraud, and how credit card fraud effects them.

March 21st, 2006 by Jamie Estep – Conversion Rate, Usability, and Marketing Blog

Filed in: Industry News |

I just started a new blog today, after making yesterday’s post. The blog is going to be geared toward web usability, increasing customer conversion on and offline and anything else related to making a business sell better.

Hopefully it can become a great resource for business owners. – Conversion Marketing Blog

March 20th, 2006 by Jamie Estep

Online Stores – Shopping Cart Abandonment – Don’t do this…

Filed in: Ecommerce, Guides |

I was online today purchasing some network hardware for the company, and after visiting about 20 different sites, all with similar prices, it was only one site that ended up getting my business.

Accepted Payment MethodsIt made me wonder why, of all the websites that I visited, and all the shopping carts I added products to, did I chose the one that I did. I then remembered reading a shopping cart abandonment article a few weeks ago, and I put my experience and the article together. I normally don’t write about this specific topic even though it is one of my strongest areas, but so many sites are making the same simple mistakes.

Why I abandoned so many shopping carts:

  1. Required Customer Registration.
  2. Not listing accepted payment methods.
  3. Not listing shipping prices early enough.

You can read articles all you want about shopping cart abandonment and user conversion, and while there are probably hundreds of reasons why a customer might abandon a shopping cart, there are three above all others that will kill your customer base. These three are coincidentally the same three that caused me to leave so many websites.

1. Required Registration: The number one shopping cart killer in my research and personal opinion is requiring customers to register before they can place an order. Customer registration can be a very useful tool, and can greatly improve future experience with customer support and tracking, but don’t require it. Not everyone wants to register with your website. If every website I place an order with required me to register, I would have several hundred memberships each year across the internet. If you require registration, you just lose me, as well as a huge amount of other potential customers from ever ordering from your site.

Offer registration as an option, and give users the specific benefits of registering, but also allow an easy way to place an order without doing it.

2. Not showing what methods of payment you accept: While not quite as annoying, this one comes in at a close second to required registration. When I get to an ecommerce site, especially one that has lots of products that can be found at several thousand similar websites across the internet, I need to know how I can pay. I should know long before I think about checking out, how I am able to pay for the merchandise that I want. What if I want to use the company Amex card, or I need to use paypal today. Let me know how I can pay. If I cant find it at the very latest by the shopping cart page, you can probably consider my business lost. I shouldn’t have to search for this, it should be in a very conspicuous place on every single page of the website. The footer and sidebar make excellent places to put a website’s accepted payment methods.

To compound problems, if you only show your accepted payment methods after a visitor is forced to register, you can probably assume that you are loosing 50% or more of the people who otherwise would have made a purchase from you.

3. Not showing shipping prices early on: Shipping prices allow a bit more leniency because you cant normally give a shipping price until a visitor’s order is summed up, but show the shipping prices as soon as they can possibly be generated. Don’t wait until the payment form. Show them on the shopping cart page if possible. Or, if you have fixed shipping prices, give customers an idea of how much their order will cost to ship.

It doesn’t get any more frustrating than going through a checkout process, to later find that my bicycle handlebar grips which cost $10 are going to cost $35 to ship FedEx ground.

You are not
Unless you sell something that is absolutely unique that everyone wants, or your prices are so low that your visitors are willing to jump through hoops to buy from you, don’t do any of these on your website. Make it as convenient and easy as possible for your visitors to make a purchase from you, and your visitors will reward you for it. Use common sense when designing a website and shopping cart. If something doesn’t have a useful purpose or is confusing, get rid of it. There are hundreds if not thousands of things that can help or hurt a website’s customer conversion rate, but these three will make a marked difference in almost every website’s efficiency.

March 17th, 2006 by Jamie Estep

Visa Warns of Cash-Register Flaw – Consumer Data Privacy Concerns

Filed in: Industry News |

Visa has put out a warning to consumers and businesses about POS system flaws that can jeopardize credit and debit card holder’s security. These POS systems are used by many of America’s largest retail chains.

Visa USA Inc. is warning that two versions of popular software installed at cash registers could be used to steal information from credit and debit cards.

The software, which is used by retailers to help ring up transactions, can be used — sometimes inadvertently — in a way that allows the cash register to store customer data, such as personal-identification numbers used in debit-card transactions. Under card-industry guidelines, retailers aren’t supposed to store that information because it can fall into criminal hands if a computer system is hacked or an unauthorized person gains access to it…

The software company ‘Fujitsu Transaction Solutions Inc.’ denies that its software is being used to steal customer data. Visa has not specified whether the data is being recorded as result of a glitch or from malicious intent.

These reports come several weeks after reports of large amounts of debit card fraud has been traced to OfficeMax stores around the US.

This story can be found at the Wall Street Journal Online: but is available by subscription only.

March 15th, 2006 by Jamie Estep

TMF’d – What to do if you are are placed on the terminated merchant ‘match’ file…

Filed in: Ecommerce, Guides, Merchant Accounts, My Favorite Posts | 19 comments

I wish I could say that every business that is placed on a terminated merchants file deserves it. Unfortunately I would be absolutely lying to say so.

TMF Match FileThe Terminated Merchants File (TMF) or match file is basically a list of merchants that have had their merchant accounts closed down by their processing bank on negative terms. This list, which resembles McCarthy’s black list during the cold war, is a stop-all flag that credit card processing companies in America abide by. If you are placed on the match file, you, any partner of your business, your business itself, and possibly anyone at your address can not sign up for a merchant account with a US based processing bank. Processing companies take the match file very seriously.

How to get on the list:
When a merchant ends their contract with a merchant provider in a negative way, their name can be placed on this list. Unfortunately, not all business placed on the list even know they are on it until they try to get setup processing credit cards with another company. The rules to place a merchant on the list are fairly limited, but seem often abused.

The easiest way to get on the list is to close your contract with a merchant provider and not pay your final bill. Failing to fulfill your contract is almost a guarantee that you will get put on the match file. Your final bill includes any processing costs that you owe, but also includes any monthly, yearly, or termination fees that were specified on your merchant contract. You are also liable for 6 months past the settlement date of the final transaction that was processed on your merchant account. The settlement date is defined as the date that the service or merchandise was fully delivered to and accepted by the customer. Basically, if you sold someone a 1 year magazine subscription, you are liable 6 months after they get their last issue.

Merchants are normally placed on the TMF file for failing to pay their final bill, but can also be placed on it for reasons that can be out of their control. High chargeback ratios, processing fraudulent transactions and breaking a merchant account contract are other common reasons for being placed on the TMF. Running your own credit card through your own merchant account can also get your account closed and TMF’d.

What to do to get off the file:
The only company in the world that can get you off the TMF, is the company that put you on it. It does not matter who you talk to, what they promise, who they are, or anything else, it always comes down to the company that put you on it. Business normally learn that they are on the TMF when they try to open a merchant account with another company.

The company that puts a merchant on the TMF is the processor that is taking on the risk of allowing the business to process with them. These are often the back end companies that you may have never had any personal contact with. FDMS, Nova, Global, and others are back-end processors. Merchant Service Providers and resellers are not normally the companies that can put a merchant on the TMF, unless they are taking on the risk of your credit card processing, so calling them may have no effect, but regardless, the company you signed up your merchant account with is who you should contact first.

After you find that you are placed on the TMF, assuming that you don’t know why you’re on the list, you should first call your former merchant account provider. You are going to be inevitable led on a wild goose chase of phone tag with different departments in the company. Hopefully you can reach someone who can give you answers within a person or two. You may finally be referred to the processing bank itself, but in either case, after some diligent calling you should be able to track down someone who can inform you of your situation. The most important thing to remember right now is to remain calm and courteous to every person you talk to, no matter how upset or angry you may be. Yelling and acting aggressively toward people at this state is only going to create problems. It is understandable that you are frustrated with the situation, but most of the people you talk to do not have the ability to directly change things. Once you reach someone that can explain your situation to you, possibly in the risk department, they should be able to tell you why you are on the match file and what you need to do to get off the file. At this point make sure you get a more direct phone number for someone that you can correspond with about the situation.

Depending on why you are on the TMF, it can be easy to impossible to get off the TMF. If you are on it for committing fraud yourself through your own merchant account, don’t count on ever getting off. Processors do not like fraud in any way, and if you as a business owner were the cause of it, they will not ever want to provide services to you again.

If a business was placed on the match file for a high chargeback ratio, time is normally the only thing that will get the business off. The processor needs to know that they aren’t going to get stuck with any unanswered bills from the merchant’s former customer’s Chargebacks.

If you didn’t pay your final bill, it may just be a matter of making good on your debt with your former processor. I have seen this as low as a few dollars, and the merchant was removed about a week after they made payment.

Unfortunately the majority of the time it is not that simple to get off the match file. It normally takes several weeks to get off the match file. Sometimes it takes negotiations to get charges cleared up, or fees removed. At this point every case is unique. If after a few weeks you are not making any headway, you may need to consult a lawyer. Processors normally use a system called arbitration to avoid taking individual cases to court. It is cheaper than going to a court, and the results are often better for both parties.

It is a good idea to have a clear understand the rules of Visa and MasterCard. Knowing about the match file, and the general regulations of Visa and MasterCard can help a lot when trying to get off of it.

If you need legal assistance in getting of the Match file, you will unquestionably need a lawyer that has experience in bankcard law. Here are a few resources to help you if you find yourself in that situation. I do not personally have experience with these companies but several have been recommended to me and these seem reputable. Use your own judgement before choosing an attorney.

How to stay off the match file:
Signing up with the wrong processor greatly increases a businesses chance to ever get put on a match file, especially for incidental reasons. I personally recommend signing up for a merchant account with FDMS or Nova as the back end processor, as businesses with these companies are much less likely to experience problems with the match file. In any case, make sure the provisions of the merchant account application, particularly the contract period and any associated termination fees are well understood before signing.

Related Posts:
Why are some companies offering free credit card terminals with their merchant accounts?
What Does All This Mean? – Merchant Account Fees
Credit Card Processing No No’s
Avoiding a Bad Merchant Service Provider