Wireless credit card machines hold the future of credit card processing. Wireless credit card machines offer businesses the ability to process credit and debit card at virtually any location. There are several common pitfalls not found with traditional credit card terminals that a potential buyer can fall into if not careful when looking to purchase a wireless credit card terminal. Over priced equipment, wireless coverage availability, and outdated equipment top the list for the most common problems found when purchasing a wireless credit card machine.

Common Pitfalls

Pitfall – 1, Over Priced Equipment
The most common wireless terminals in use in the US are the Nurit 3010, the Nurit 8000, and the Nurit 8000 GPRS. The manufacturer Lipman, only makes 1 version of each terminal. The price for any of these terminals should fall into the $700 – $900 range for a new terminal. Anything higher and you are being ripped off. No matter what your provider tells you, this is how much you can buy these terminals for. There are no other versions of these terminals, so don’t be talked into an overpriced terminal.

Pitfall – 2, Outdated Equipment, Outdated Networks
It is often very easy to find a ‘very low’ priced wireless credit card terminal on ebay or at other marketplaces. Many of these terminals use outdated processing networks, and what was a wireless terminal, will no longer work for wireless processing. Many Nurit 3010, and Nurit 2090 wireless terminals use a network called the CDPD network. This wireless network is all but abandoned for credit card processing and you will not be able to use this terminal for wireless processing.

Make absolutely sure that the wireless terminal that you are buying is not one made for the CDPD network. If the seller does not know, or will not disclose what network the terminal is programmed for, then do not buy the terminal. In general, if the offer just sounds too good to be true, then it probably is. Also, many merchants that are selling their used terminals may have no idea what network the terminal operates on. Whatever the case, you need to make sure the terminal is not programmed for the CDPD network.

Pitfall – 3, Wireless Processing, Wireless Service Coverage
The ability of being able to process anywhere at any time is a great asset for many mobile businesses. But, don’t confuse the coverage area that your cellular phone gets with what is available for wireless processing. Wireless credit card terminals currently operate on three wireless networks; the Motient, Mobitex, and GPRS Edge networks. All three of these networks are considered business class networks that have much better data, speed, and security than traditional cellular networks. Wireless processing networks also have much lower cellular coverage availability than cellular phone networks.

(more…)

Ebay and Paypal now seem like they were a match made in heaven. Paypal and Ebay started out as two different companies. Both Ebay and Paypal have grown very rapidly. After both Ebay and Paypal became well established, Ebay saw huge potential in Paypal and several other smaller 3rd party processing companies. Ebay did what any other corporate monster would do. They bought all of them.

Even though Ebay and Paypal work seamlessly together and Paypal is widely accepted, it is important for Ebay sellers to look at accepting other payment methods for their Ebay sales.

Why?…

I have done a significant amount of research in my selling on Ebay. I have three Ebay accounts, one personal and two business, all three are power seller accounts. In my experience, if you accept ‘only Paypal’ on Ebay, you are loosing between 20% and 30% of your potential customers from Ebay. If you sell primarily business to business, you are probably loosing a lot more than that.

Paypal is notorious for some of the worst customer service and poorest user experience of any online service, ever…

There is a huge population of people who absolutely refuse to use Paypal, under any circumstance. There is no middle line. Whether these people have gotten ripped off through Paypal, had their account held, or just don’t like Paypal, is irrelevant. The fact is that these people may want to buy from you, and while you may have the best prices or best service ever, you cant have their business.

My personal belief in business, is that making the buying process for your customers easy and trouble free, is absolutely key to gaining new and keeping current customers. This extends into online sales and any other channel of sales and marketing that your company uses.

Give customers another option for payment:
Accepting credit cards is the best alternative to Paypal for Ebay sellers. Checks are also a good fit, but only if a business is able to accept the checks electronically over the phone or online. Cash is the least convenient method of paying online, and I wouldn’t even consider it as widely used on Ebay. Mailing in checks or money orders is time consuming, and offers very little protection from fraud. From time to time I still see sellers that only accept checks or money orders by mail, and I personally will not buy from them. If you only accept payment by mail, I pretty much guarantee that you will see a jump in sales if you switch to electronic payment. Apart from this, many people don’t factor in the time it takes to go to the bank, make a deposit, wait for it to clear, hope it clears for checks. Time is the most valuable resource, and I know that everyone has better things to do than go to the bank, especially for business owners.

Even if you need to have your Ebay customers call when they want to pay with a credit card or check, you are still providing your customers with the method of payment that they chose. Whether you believe the customer is always right or not, it is un-arguable that customers make business possible. Make your customers happy by giving them the options that they want, and they will reward you for it.

There are of course integrated solutions that will allow your website to integrate your Ebay sales into it, and 3rd party checkout systems. While these systems are often very high quality, this often comes at a price that is too high for smaller Ebay sellers. For this reason, accepting Ebay payments over the phone is one of the cheapest and easiest methods available.

Paypal is so much cheaper:
Paypal is cheaper only when a business does an enormous volume of transactions. Otherwise, the fees for Paypal and the fees for a merchant account are very similar. Accepting checks electronically is normally cheaper than credit cards, and therefor cheaper than Paypal as well.

Paypal also does their best to remove customer and business owner’s rights when a disagreement does happen. Merchants on Paypal often have their accounts frozen for high sales volumes, and both sellers and buyers often lose as a result of fraud. This is another of the numerous reason why people dislike Paypal.

Conclusion:
20% – 30% seems like a lot to me. That could easily be the difference between a successful business and a failure. These numbers may not prove exact for every person that sells on Ebay because of the vast difference in buyer trends with each type of product, but having tested loosing 20% of business when credit cards are not an option is enough proof for myself.

I normally try to keep SEO separate from the realm of credit card processing, but this is a great article written by Bill Hartzer that details the importance of optimizing ecommerce websites. Ecommerce websites are often cookie-cutter OsCommerce and other dynamic shopping based sites, and this article can greatly help those sites to rank in the search engines. Even if you don’t run an OsCommerce website, this article is a must for anyone involved in ecommerce.

Bill Hartzer manages the Search Engine Marketing division of MarketNet Inc http://www.marketnet.com. He is also a fellow moderator of mine at the webproworld forums http://www.webproworld.com/forum.php.

If you run an ecommerce site, then you know that it’s important to make sure that your products show up in the organic search results ahead of your competitors-especially if your competitor is selling the same products. Optimizing your ecommerce web site for the search engines can be tricky at times, so we’ll examine what’s really required in order for your products to rank better than your competitor’s products in the organic search results.

Full Article

Several Web hosting companies that use the Authorize.Net service to accept credit cards online saw a sudden spike in transactions over the weekend. The transactions, most for $500 and $700, were billed to Visa, MasterCard and American Express cards that belong to people across the U.S., representatives for three Web hosts told CNET News.com.

The Web hosting companies discovered the unusual charges through e-mail alerts that Authorize.Net sends after each transaction. Close to 3,000 suspicious transactions were pushed through the merchant accounts of three companies with which CNET News.com spoke, and more likely happened at other Web hosts, these three companies said.

On Sunday morning, in about an hour-and-a-half time period, fraudsters ran close to 1,500 transactions through the Authorize.Net account of Defender Technologies Group, a Web host in Ashburn, Va., said Tom Kiblin, the company’s CEO. “It was just under $1 million that got put through on our account,” he said. Kiblin says he has reported the matter to the U.S. Secret Service.

This sounds like a really bad credit card fraud case, but looking at the situation positively, the business caught the huge amount of fraudulent charges before it became an even bigger problem. If these credit card numbers were obtained from a single source, there should be very little trouble finding where the data was lost at. Visa and MasterCard have systems dedicated to tracking down the source of a loss of information, by matching similarities in charges on different credit cards.

Full Article – http://news.zdnet.com/2100-1009_22-6057305.html

The BBB has co-authored a guide to help small businesses be secure and to help protect user privacy. This is an excellent guide for any small business. It was sponsored by Visa, IBM, Equifax, Verizon, The Wall Street Journal, Ebay, and Paypal. We support and recommend these practices in every way.

Please click on the link to view the PDF, or download the ZIP version to your computer.
Guide to Small Business Security PDF
Guide to Small Business Security ZIP Download

SDP /CISP / PCI is a standard that many businesses must adhere to to help protect consumer data. CISP (Cardholder Information Security Program) is a Visa security standard that is designed to help protect all levels of business from fraud and loss of data. MasterCard has a similar program called SDP (Site Data Protection). CISP / PCI is a standard that is designed to help secure and protect sensitive data specifically relating to the payment card industry. CISP compliance extends beyond online businesses and applies to Retail (brick-and-mortar), and Moto (keyed entry) businesses in addition to ecommerce. CISP compliance is outlined here rather than the SDP program because it is more restrictive and better organized.

PCI / CISP is designed to be implemented by any businesses that accepts of facilitates credit card transactions or the handling of sensitive credit card and user information. Businesses that do not store or handle credit card information, are not subject to CISP regulations.

Visa: Note that these Payment Card Industry (PCI) Data Security Requirements apply to all Members, merchants, and service providers that store, process or transmit card-holder data. Additionally, these security requirements apply to all “system components” which is defined as any network component, server, or application included in, or connected to, the card-holder data environment. Network components, include, but are not limited to, firewalls, switches, routers, wireless access points, network appliances, and other security appliances. Servers include, but are not limited to, web, database, authentication, DNS, mail, proxy, and NTP. Applications include all purchased and custom applications, including internal and external (web) applications.

PCI / CISP Basic Requirements:

1. Install and maintain a firewall configuration to protect data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.
3. Protect stored data.
4. Encrypt transmission of card-holder data and sensitive information across public networks.
5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.
7. Restrict access to data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to card-holder data.
10. Track and monitor all access to network resources and card-holder data.
11. Regularly test security systems and processes.
12. Maintain a policy that addresses information security.

If you read the full CISP manual, you will find that each requirement is broken into several sub-requirements. CISP attempts to leave no stone unturned and no margin for error.

How To Implement PCI / CISP:
Most of the CISP requirements are simple common sense. CISP is heavily geared toward websites and other easily accessible systems where there is a huge potential for a loss of sensitive data. Many of the technical issues are very complex and the requirements are very strict. I have helped to secure several web servers for CISP compliance, and to say that the requirements are strict is a gross understatement. Not only are there basic firewall and network infrastructure requirements, but there are hundreds of update, software versions, and patch requirements that must be met for a web server to be CISP compliant. A single missing software version update, or patch, or a single compromised web port, will cause a server to fail CISP compliance.

To start on the road to compliance look at the Visa PCI / CISP Pdf linked at the bottom of this document. All of the requirements are listed to be CISP compliant. After you meet all of the requirements, you will need to get with a company that certifies businesses for CISP compliance. They will normally perform a series of checks on your server, and give you the results of their inspection. The checks that they perform are essentially an attack on your web server, and they will try to exploit any known vulnerability. They also check the software, and current versions of several applications on the server making sure they are all up to the current version. You can also start by doing a scan and fix whatever areas are not up to standard.

A Warning: Make sure your web host knows that you are going to be doing these tests, or they may mistake them for a true attack.

CISP non-compliance and loss of data penalties:
The fines for not complying with CISP are low, up until there is an actual loss of data. Visa and MasterCard can shut down or fine non-complying merchants, but due to the current lack of organization and the impossibility to monitor every business and organization, larger companies are the only ones who are currently monitored. It is the responsibility of a business to ensure that they take the steps to become CISP compliant. If a business is not CISP compliant and a loss of data occurs, there is a $500,000 fine from Visa alone for loosing data and an additional $100,000 fine just for not being CISP compliant. $600,000 for not-becoming CISP compliant and loosing data because of it, and this applies for any business that accepts credit or debit cards. A single credit card number that is lost and is traced back to a business is considered a loss of data.

Apart from the monetary penalties, it never looks good when a business looses data. News agencies jump on these stories, and instantly make a business look like a criminal organization. I’m sick of reading about them, and I’m sure you are as well, so protect your data.

Overview:
I personally don’t recommend storing credit card numbers at all in an online database. Not only is the CISP compliance very difficult to achieve, but it just isn’t a safe practice. If card information is stored online, it must also be encrypted so that if there is some sort of data loss, the data will be useless. Even with CISP compliance it is still possible for someone to gain access to a server. No matter how secure something is, there is almost always a way for the system to become compromised. Also for retail businesses, employees are one of the largest causes of loss of data. Card information should only be accessible by select people that need access to it.

PCI / CISP Resources:
Visa CISP / PCI Compliance PDF
ScanAlert – PCI CISP Certification

Related Articles:
Credit Card Truncation

CardSystems gained notoriety last year when they experienced that largest loss of financial and credit card date in history. As many as 40 million credit card numbers were compromised after CardSystem’s database was hacked. The database was apparently unencrypted resulting in a potential total loss of customer information.

CardSystems was acquired by pay By Touch shortly after the incident and CardSystems subsequent breakup. Pay By Touch must now implement a third-party managed information security program for the next 20 years.

Paypal and other financial institution phishing is a major concern for many individuals and businesses. I personally get several hundred phishing emails per day and a huge percentage of them are ebay and paypal phishing attempts.

Phishing is type of fraud where an email is sent to a person and the sender of the email is acting like a major institution, trying to get the user to log into their website. What the person getting the email sees when they click on the link, is a duplicate of the real website, made by he person sending the email. The duplicate website will have a form that the user inputs information into, and is normally a login box. Once the user enters their information and presses submit, the information is sent to the person who sent the email. The phisher just obtained the login information from the person who was phished. They also now have full access to whatever website the user-name and password are used at. They can empty your bank account, make fake ebay purchases, or anything else that the website allows them to do, and they are doing it as you…

Phishing a normally easy to spot, but recently I have been receiving better planned and implemented websites and phishing emails.

The sure proof guide to not getting phished.
First off you need to know two things. First, reporting phishing attempts does absolutely nothing, so don’t waste your time. Phishing attempts and the website’s that go with them are almost always hijacked, so reporting them will not lead authorities or anyone else to the responsible party. Second, there is nothing you can do to stop getting phishing emails, so don’t concern yourself with that one either.

1. Don’t Click
The most important thing to do, to not get phished, is to never click on a link in an email that asks, requests, begs, prays, or anything else in attempt to get you to login or even access a website. If you need to access the website, open a new browser window, type the website address in the new window, and login to the website from there. Whether you think the email is a phishing attempt or not, this is just plain common sense to protect yourself. If you never click on a link to a phishing website, you will never be a victim of phishing fraud.

2. Delete any identified phishing emails
Identifying phishing emails can be difficult, but a few simple flags will tell a phishing email from a real email almost every time. One thing you should have is a computer based email program. Online email like yahoo or hotmail, are terrible at helping a user to identify a phishing email. If you need an online email, I recommend using gmail, which also allows POP3 access from your home computer. Use Microsoft Outlook or Outlook Express to view your gmail emails. Using Outlook or Outlook Express will allow you to view extra information that is sent with each email. Whether you use an online program or Outlook, there are several flags that will make phishing emails stand out.

1. Email sender is not who the message is from.
   • The email sender in the header or the from box is different than who the message appears to be from. This would be like getting an email from chase bank, but in the FROM: field, Reply-To: field or in the header itself the message is from someone9876@earthlink.com.
2. The link that the page wants you to click on is a large, fake, or obscure address.
   • A phishing email will always try to get you to visit the fake website to enter your information. When you place your mouse over the link, look at the URL that appears. Another way to view the link in a web based email is to right click on the link and select ‘copy target’ or ‘copy link location’. Then paste the link in your web browser address bar and look at the link. If the email is real, the link will be directly to the website organization. If the email is fake, it will normally have a large obscure website address.
   • Good Link: http://www.paypal.com/us/
   • Bad Link: http://mabarrackfurniture.com.au/images/www.paypal.com/cgi-bin/webscr.php?cmd=_login-run
3. The email ends up in your spam box.
   • As simple as it seems, emails that end up getting hit by spam filters are filtered for a reason. While recently I have been seeing phishing emails routinely make it through the most strict spam filters, the majority of phishing emails will get caught in web based, and outlook spam filters. If it goes in your spam folder, it did so for a reason, so be extra careful with that email.

3. Use a different email address if you run websites
This is targeted at webmasters and others who manage websites. If you have websites and you have customer service email addresses on them, never use those email addresses for paypal, ebay, your bank, or any other personal, financial, or access related purposes. Keep the email addresses on your websites completely independent of ones you use for paypal, ebay, etc. The reason is that, spammers get huge lists of email addresses by scrubbing websites for email addresses. They send phishing emails to the email addresses that they collect. If the phishing emails you get are sent to the email addresses that your website’s use, then you instantly know that they are fake.

4. If you click on a link, make sure you are where you should be
If you do click on a link in your email, make sure that the link sends you to the actual organization’s website and not a fake. Look at the address bar. Does it look right?

Notice how the link in the address bar is not paypal, but the page looks just like the login page. This a phishing page. Never enter your information if the address in the bar is different from the organization that you are trying to visit.

A good phishing example:
This example is one of the best phishing emails I have ever seen. It instantly made me want to click on the link. It passed every spam filter I have and if I did not know exactly what to look for in a phishing email, I could have been a victim of it.

(more…)

You probably won’t end up paying the bill, but a stolen credit card can still cost you big in time and aggravation. Here’s how to protect yourself online and off.

In some ways, credit card fraud isn’t the problem it’s often made out to be.

Visa says fraud accounts for about 7 cents of every $100 spent on its credit cards, an all-time low and about half the rate of 10 years ago. Add to that the fact that the major credit card companies have “zero liability” policies, which means the vast majority of consumers who are victims don’t wind up paying a dime out of their own pockets.

This is a great article targeted at consumers about how to protect themselves from credit card fraud, and how credit card fraud effects them.

http://moneycentral.msn.com/content/Banking/creditcardsmarts/P87328.asp

I just started a new blog today, after making yesterday’s post. The blog is going to be geared toward web usability, increasing customer conversion on and offline and anything else related to making a business sell better.

Hopefully it can become a great resource for business owners.

AbyV.org – Conversion Marketing Blog