Make your terminal or POS last longer

Credit card terminals and POS systems are typically designed with reliable components that should last for many years. However, there are ways to decrease the lifespan of credit card processing equipment and many merchant may not know they’re already doing them.

Common ways to reduce the lifespan of processing equipment

• Heat
• Liquids
• Physical Damage
• Power Surges

Heat

The most common way that the lifespan of processing equipment is reduced is having it in an area where the equipment overheats. This is especially true for systems that experience heavy usage like a POS system. The best way to keep equipment cool is to make sure there is adequate ventilation around it. These machines are typically designed to produce as little heat as possible but when they are placed in enclosed spaces or areas with poor airflow, heat can accumulate around the equipment. Unless it’s extreme, this doesn’t result in immediate failure, but over time will degrade the electronics and cause the equipment to fail before it otherwise would have. For POS system or equipment with fans, make sure the discharge is away from the equipment.

Liquids

It goes without saying that liquid and electronics don’t mix well, but we commonly hear about drinks being spilled on terminals, especially in restaurants and counter service businesses. POS systems and credit card terminals are often in a location that makes then highly likely to be spilled on. Keep sodas, drinks, and other liquids away from processing equipment or put the equipment in a place where it is less likely someone would store a drink next to it.

Physical Damage

Credit card terminals, especially the portable ones, are built to be durable. But they’re still not designed to be dropped or heavily impacted. Even if there is no visible damage to the equipment, there are security features that may make the equipment unusable. Using a fixed stand or making sure cables are secured to the wall or counter will make sure it doesn’t get knocked onto the floor. Wireless terminals are more difficult because they’re constantly moved around, so diligence, or storing them in a padded bag when being transported, is the best way to prevent them from being damaged.

Power Surges

It is an absolute must to use a power strip that protects a POS system or credit card terminal from power surges. This is even more important if you live in an area that receives frequent lightning. Even if the power isn’t completely knocked out, power surges can wipe the programming, damage, or completely destroy processing equipment. This is by far the most common way we see terminals get damaged. A GFCI outlet does not protect equipment from surges, you must use a UPS (uninterpretable power supply) or power strip that is designed to protect from power fluctuation. The best ones also have ports for Ethernet and dial phone lines that protect from surges through these connections in addition to the power. Not all power strips actually protect from surges so unless the strip specifically states that it does, assume that it wont.

These are the 4 most common ways we see equipment get broken or the life reduced below what should be reasonably expected. Processing equipment isn’t going to last forever, but because of the slow nature of changes in processing technology, processing equipment can last a long time if treated properly.

In the past there was only one option when it came to truly mobile processing, the cellular credit card terminal. While these devices work great and offer fast, stable, transactions, they are expensive and come with additional monthly fees from a wireless provider. As technology has progressed, so have the wireless processing options, like the smartphone or tablet. Setting up a smartphone or tablet to process your credit card transactions is a great alternative to traditional wireless devices, by offering a lower cost of entry and flexible options.

For many merchants smartphones and tablets offer a conventional way to accept credit card payments, however many of the popular options, like Square, come with high per transaction costs that can really add up. If  your business is processing less than $2,000 per month in credit card sales its generally more cost effective to use a company like Square because of their lack of monthly and annual fees. On the other hand if your processing volume exceeds $2,000 per month, paying lower transaction fees through a full service merchant account will generally more than offset any added monthly fees, not to mention the availability of dedicated support with a full service merchant account. Take for example a food truck processing $10,000 per month with a Square account. At a flat 2.75% per swipe fee they are going to be paying $275 per month in credit card fees. With a full service merchant account costing them $12 per month and a lower effective swipe rate of 2.00% they would pay $212 per month, which is more than a 20% savings.

Our team has a lot of experience with the many options out there and would be happy to help you get started in the right direction. We do offer several different variations of this service supporting both Android and Apple products through our MSMobile program. MSMobile customers are charged a small monthly fee, starting at $12 per month, and have a choice of rate structures including a flat rate option, which is lower than Squares 2.75%. From how you charge your customers to how your fees are structured MSMobile enables you the power to choose whats right for your business, which is why it has become one of our most popular wireless account options.

Reach out to one of our specialists or call us at (888) 528-0058 today and let us show you how we can put together a custom quote for your business.

Mobile Wallets (Apple and Samsung Pay)

Does your business accept mobile wallet payments? A couple years ago mobile wallets were mostly unheard of and merchant acceptance was low outside of the eCommerce environment. Today with the rise of Apple Pay and Sumsung Pay, mobile wallets have started to take off and are projected to increase in coming years as more and more businesses add the ability to accept these payments. In an article last year, CIO.com, said that in 2014 0.5% of NFC equipped smartphones were used at least once a month, and they were expecting that number to be closer to 5.0% by the end of 2015. This does make up a small portion of today payment volume, however over the next few years we expect to see a substantial increase in processing volume.

How do mobile devices work with mobile wallets?

Both Apple Pay and Sumsung Pay use Near Field Communication (NFC) to communicate with a business’s Point of Sale using tokenization to secure the card data. Basically when you register your credit card with your Apple or Samsung device the card issuer registers your card number to your mobile device. This means that neither the mobile device or its manufacturer needs to keep your card number on file. When you make a purchase on an NFC enabled point of sale the mobile device sends a one time use token, instead of a card number, that is recognized by the card issuer and linked back to your credit card.

Some devices equipped with Samsung Pay magnetic secure transmission (MST) which can work on almost any existing point of sale system. MST basically broadcasts your credit card data to the point of sale device just as the device would read the data from the traditional magnetic swipe on the credit card. This feature is clearly less secure than NFC, however MST only works within 3 inches of your mobile device and the transmission only lasts a second or two. Meaning if someone wanted to steal your card data, they would have to be awkwardly close to you for the moment that your mobile device sent the MST signal.

How do I start accepting payments from mobile wallets?

Start by speaking to your processor first. You just need an NFC enabled point of sale and the correct software, however you will want to make sure the hardware you purchase is supported by your processor. Many credit card terminals like Verifone’s Vx520 have an optional NFC reader, or you may even be able to add an accessory to your existing device to enable NFC payments. Once you have the required hardware your credit card processor can help you install the required software in your terminal.

You have probably noticed one to two little fees on your merchant account statement that would range anywhere from $5.00 to $30.00. This little monthly fee has many names such as account fee, account on file, mailing, processing, statement, internet, access and even just plain monthly fee. All of these pretty much pertain to this charge that is generated from the processing company and can be lumped together as a statement fee. The charge began when merchant accounts first came out back in the 70’s and covered the bank’s cost of mailing statements and overhead pretty much like the monthly fee for a checking account. Over time this monthly fee still covers the mailing of the statements and has become a profit source for some processors. Most processors charge a statement fee even if the statement is online or emailed to the merchant and some even charge a second fee for the privlege of an online statement.

For most merchants they will get something that looks like this for their money:

This statement will have your basic information from the previous months. Very much like a bank statement, it will have your monthly volume, broken down by card type and your daily deposits from your credit card processing. Your statement will also have the fees you paid for your credit card processing from the previous month. Hopefully your processor is breaking down your fees down to your discount rate, transaction fee, and any monthly fees associated with your merchant account. So basically this statement is a receipt for the fees that you have paid for processing credit cards.

At The Merchant Store, our statement fee covers a lot more than just the mailing of a standard statement. Our fee covers an Online service called Access One. This is an Online portal that is included with your merchant account to give you the abilities that up to now were only available for an additional fee or for very large companies and nationwide chains.

First, when you log in you will have a dashboard that gives you a snapshot of the the current batch, month to date and year to date processing. The dashboard gives you a 13 month rolling history of your processing. This information is broken down by card type, gross sales, returns, and net sales after any returns or charge backs.

Not only do you have access to your current statement but you will have every statement you have ever had available to you any time that you need it.

Access One gives our merchants access to the following information and reports:

With this system you will be able to see your batches, deposits and all voids/declines or returns. This is a way to double check your returns on a daily basis and make sure they are all approved.

A very cool feature is the transaction search feature where you can find any transaction that ran through your system:

Our Access One system goes way beyond a statement receipt for our merchants. This is a tool you can use to keep abreast of your current processing as well as the past history of your statements, transactions as well as batches and deposits. Access One also enables you to open customer service questions while you are in the system that will be answered in expedited way.

Make sure you have a system working for you, get the Access One system included with your merchant account.

If you are like a lot of merchants when you take a close look at your credit card processing statement you will see a $20 to $35 monthly fee for PCI non-compliance. PCI or actually “PCI DSS” stands for Payment Card Industry Data Security Standards and is a list of requirements for all companies that process, store, or transmit credit card information. These standards were created in 2004 to focus on improving payment security. Then in 2006 PCI DSS 1.0 was released and businesses accepting credit card payments were required to be compliant. Version 1.0 was the first time all of the card brands supported one security standard for card payments. Unfortunately, less than 25% of small businesses have become compliant, and processors charge the rest a “non-compliance” fee until they go through the procedures to become certified.

In this article we will go over some details about PCI and shed light on a topic that many merchants feel is unnecessary and many never go through the certification process.

Most small business owners see PCI as an added expense both in time and money, but the truth is the costs are quite low when compared to the potential risks. Many small business owners think they are too small for an attacker to spend time going after them or that since they don’t process online transitions that they are safe from data breaches. That being said as a business owner you may be more vulnerable than you think. Small businesses are far more likely to have unresolved system vulnerabilities making them much easier targets. In fact, it could take an attacker weeks or months to beach a large target, but many small businesses can be breached in a matter of minutes. Not just talking about e-commerce businesses either, in Verizon’s 2015 Data Breach Investigations Report one of the most affected industries for POS intrusion was retail. The PCI requirements are designed to teach you about data security and help you secure your business. Below are some key points pertaining to compliance and your business.

Self-Assessment Questionnaire:

We get many complaints from merchants that say the self-assessment questionnaire (SAQ) defeats the entire purpose. They say things like “what keeps people from just filling it out in a way that says they are complaint”, and I get their point, however I think this is the wrong way to look at it. The SAQ isn’t about a business saying they are secure; it’s about becoming more secure. On a conference call a couple years ago, a leading PCI security vendor made a good point. He said every business should treat the PCI requirements as a way to learn about securing their business and they should use it as a tool to make incremental changes each year. The card brands and PCI Security Council know credit cards are not going to be 100% secure no matter what they do, however continually putting the security standards in front of businesses helps to teach people how to best secure card data. Having worked on many of our own SAQs we know how frustrating it can be, however it is important. Start it early and do a little bit each day comparing the questions to your business and be prepared to make changes to operations to better protect yourself and your customers.

Vulnerability Scans:

As I said before, the card brands know they can’t make sure every transaction is handled securely, but vulnerability scans are a good way to at least alert a business to a known issue with their network. While this additional step is not required for every business, it’s an important step to securing many businesses. For small businesses that don’t have a team of IT people, this might be the only amount of system security verification that occurs. Most small businesses are connected to the Internet, and many of those are using household grade network appliances that are using out of the box configurations and don’t get normal security updates. According to Verizon’s figures in the 2015 Data Breach Investigations Report, 99.9% of exploited system vulnerabilities were compromised more than a year after they were published. What that means is most, if not all, of those breaches could have been prevented just by doing regular security updates. A vulnerability scan should catch most of those vulnerabilities and alert the business owner of the potential risks. Keep in mind the vulnerability scan from the PCI security vendor is only going to be able to scan the side of your network that touches the Internet. It is not able to test your internal computer systems so it’s good practice to make sure those are updated and properly maintained as well.

PCI Costs:

PCI fees vary from processor to processor but it’s pretty standard to be charged $90 to $150 per year for PCI Services. Some processors will charge this as an annual fee and some will charge it on a monthly basis. In addition to this service fee you may also see PCI non-compliance fees which normally run about $20 per month. The non-compliance fee is easily removed from your account by proving that you meet the PCI requirements. If you are using your processor’s PCI compliance service, the fee is usually automatically removed once you are shown to be in compliance. If you are using a third party you will be required to send them proof of compliance, normally in the form of a certificate which is obtained from your PCI vendor.

I suggest staying away from processor provided PCI insurance, unless it’s included at no additional cost. Hypothetically it’s “insurance” that covers your costs if you do have a breach, in reality it may or may not help. If you have some sort of fee for PCI insurance it would be a good idea to contact your processor and ask for the policy details, and maybe even how to remove the fee altogether as you may be paying for something that would not help at all. I am sure some processors have legitimate insurance they are providing, however you need to know what is covered and in what circumstances those things are covered. It’s likely there are many scenarios where the processors one size fits all insurance isn’t giving your business any real coverage.

Breach Costs:

If you are unfortunate enough to experience a data breach, the costs of both time and money add up very quickly. The PCI DSS requires that if a merchant even believes they have been breached they are to have a third party conduct a forensic examination to determine if a breach has occurred. This can last weeks or months, and during this time they require your point of sale be shut down. It’s estimated that a small business examination costs between $20,000 and $50,000.

Then there are those potential fines which start at $5,000 and can exceed $50,000. It’s true that many small businesses are not assessed a fine for their first breach, however the ongoing PCI requirements for those merchants become much greater and fines can and have been assessed to those businesses that failed to become and maintain compliance.

Other Potential Beach Costs:

Notification of Customers: This cost can vary; however, it’s going to require you to send letters to anyone who did business with you around the time of the breach. You’re going to have to be sending multiple communications so you’re probably looking at a cost of at least $2.50 per customer.

Card Replacement Costs: You could be required to pay back the card issuers for having to reissue new credit cards to their customers. These fees can range from $3 to $10 per card.

Credit Monitoring: You may be required to provide each customer affected by your data breach with credit monitoring services for a year.

Liability for fraud charges: Your business may be held liability for any fraudulent charges on any card associated with your breach. For large breaches, the liability in this situation is practically unlimited.

Non-Monetary Costs: Your business may be required to contact past customers and explain that you breached their credit card data. You may end up with a spot on the evening news. These things add up to much more than just lost sales and time. It also puts you at risk of not being able to accept card payments any more as the card association may choose to no longer allow you to accept their cards

Conclusion:

The costs to be PCI compliant are negligible compare to the costs of even a potential breach. Becoming PCI complaint helps you better protect yourself and your customers, and if there ever is a breach, your penalties are likely to be significantly less than had you not been compliant. The next time you see that your PCI compliance certification is due, look at it as a way to secure your business and customers against fraud.

Happy new year!

In this edition, we wanted to give a quick reminder about processing fees and how they affect a business’s taxes, have a few quick fraud tips for online merchants, and are introducing a limited time new year special. This month we are featuring the Salon Scheduler Clover POS application for salons and other businesses who have to manage customer appointments.

Happy new year and many more,
from all the staff at The Merchant Store

IRS and Taxes

Processing fees and costs are business expenses and are often overlooked by business owners filing their taxes. Make sure to, or have your accountant, deduct applicable processing fees when you file your taxes this year.

1099K / TIN Reporting

In 2008, buried in the middle of the Housing and Economic Recovery Act was a provision that had nothing to do with housing but was a new requirement that banks and credit processors must now report payments to the IRS. The rule, which took effect in 2012, was meant to “improve voluntary tax compliance” by business taxpayers to help the IRS determine whether their tax returns are correct and complete. This is where the 1099-k was born.

Merchants are now required to complete a W9 form for their credit card processor, if in the prior calendar year, they received payments:

• from payment card transactions (e.g., debit, credit or stored-value cards), and/or
• in settlement of third-party payment network transactions above the minimum reporting thresholds of –
  • gross payments that exceed $20,000 AND
  • more than 200 such transactions

Merchant’s now receive a 1099K statement from their processor detailing the gross sales that they accepted during the previous calendar year. Keep this statement for your tax records.

The amount being reported on the 1099K is very likely to be different than the actual net amount that a merchant processes throughout the year. This is due to the complexities in how the money is reported and that processors generally do not account for voided or canceled transactions, tips, refunds, and other non-sale transactions. We strongly suggest not using the amount directly from the 1099K for reporting actual revenue to the IRS, unless it matches a merchant’s actual sales amount. Instead, use processing receipts or the actual income recorded by your accounting procedures.

Important tips

For legal advice involving reporting your sales on your tax return, we strongly suggest speaking with a qualified CPA or tax attorney.

Merchant who do not file a W9 or the processor is unable to match the submitted information with what the IRS has on file may be subject to 28% withholdings by the IRS. 28% withholding is on gross sales, and occurs when the processor receives a withholding notice from the IRS.

If money is held at any point during the year, the only way to recover it is on the following year’s tax return. If you do have money held by the IRS, keep track of any applicable documentation, and make sure to report the money being held on your tax return. If a business owes taxes at the end of the year, the withheld money is normally applied against the amount owed to the IRS.

If you change your business structure, business name, EIN, or other information required to file your taxes, make sure to notify your processor so they can file the proper paperwork with the IRS. At any time, if the IRS deems that the information your processor has on file is not matching the IRS database, it is possible to be flagged for backup withholding.

Chargebacks are something that almost all merchants who accept credit cards will have to deal with at one time or another. In our experience, there is often a lot of bad information about how the chargeback system works and what parties are involved in the chargeback process. We want to briefly overview how the chargeback system works and how this can affect merchants who receive a chargeback from a customer.

Chargebacks can be a costly surprise for the unsuspecting business owner and even more so for merchants in certain higher risk industries, where chargebacks are often a constant burden. Some consumers even know how to use the chargeback system so well, they commit a type of fraud called friendly fraud using the chargeback system.

What is a chargeback?

To begin, a chargeback is essentially a dispute made by a customer or the bank that issued the credit card to the customer. This dispute could be for a number of reasons but essentially they are disputing the validity of a transaction with their card card and a merchant who accepted it. The terms may vary by the type of card and how a transactions is processed, but the ability to request a chargeback is a fundamental protection that comes with all credit and debit cards. Once a chargeback is initiated, it is important for merchants to quickly respond to the chargeback claim, as they will lose the money they had previously received for the transaction if they do not respond.

The chargeback process

A chargeback is initiated when a card holder or their bank feel that a transaction was not valid, for the amount, service, quality of goods that a merchant sold, or a number of other reasons. One of the most common types of chargebacks is simply if a card holder’s credit card number is stolen and used by a thief. Some other common reasons for chargebacks are : defective goods or goods are not as described, non-authorized sale, key data points missing from point of sale system, delay in batching transaction, duplicate transaction or credit not issued and non-delivery of sale item. Unfortunately many of these chargebacks reason codes such as defective or goods not as described can be very subjective and the issuing bank tends to rule heavily in favor of their customer. Also, issuing banks will sometimes initiate a chargeback if the transaction is outside of the normal behavior pattern of the customer, and we’ve seen these types of chargebacks actually happen 3 to 4 months later. If you receive one of these issuing bank chargebacks, it’s a good idea to check with your processor because we have found that in rare cases you’re better off not responding. But, this is only in rare situations so make sure your processor has given you this advice otherwise, you’re guaranteed to lose the chargeback.

When a chargeback is requested, the card issuer files a chargeback request with the merchant’s processor. That processor immediately withdraws the funds for the transaction from the merchant. These are held in a reserve account pending the outcome of the chargeback investigation.

The merchant is then notified by their processor that they have received a chargeback and asked to provide proof that the transaction accepted by the merchant was legitimate. The merchant has 14 days to respond to this request or the issuer will automatically rule against them. Proof for a retail merchant is often a signed receipt and evidence that the card was swiped through a terminal or POS system. Now with the advent of EMV terminals we are seeing more and more chargebacks initiated by card issuers for non-EMV terminals. For Online and other non-retail merchants, proof is often showing tracking numbers and a delivery signature, but in any case it is much more difficult to prove the legitimacy of a transaction where the customer’s card was not electronically captured. Even if a merchant has a signed receipt or invoice, this is not proof of delivery for a non-swipe environment such as a phone or Internet order.

The processor then sends whatever information received from the merchant to the card issuer.

The card issuer then makes a decision on the validity of the transaction, and either returns the collected money back to the merchant, or releases it to the cardholder, depending on which side they rule in favor of.

If the issuer rules in the favor of the cardholder, the merchant may still has an opportunity for arbitration over the validity of the transaction, but there is significant, and irrecoverable, cost to the merchant if they wish to go to arbitration. The cost is $500 to take the case to arbitration and most processors won’t take the case to arbitration unless the merchant has paid the $500 and they feel the merchant has a very good chance of success. The arbitration process then takes another 45 days to complete.

Important points

• Chargebacks can generally be made for 120 – 180 days after a transaction is considered settled. This is important because in the event of custom, recurring, or prepaid products or services, the liability for a chargeback is often considered beginning on the date the transaction and service is considered complete, which may not be the initial date of the sale itself, but the date of the final payment. If the transaction is for a future deliverables the time frame for a chargeback can go up to 540 days.
• Here is a brief description of chargeback time limits:
  • In cases that involve delayed delivery or performance of goods and services, the period is 120 days from the date the goods and services were supposed to be provided.
  • In cases that involve interrupted services that were immediately available, then the 120 days begins when the services cease and the chargeback cannot exceed 540 days from when the services started.
• If you do receive a chargeback, make sure not to refund the transaction! The money from the original transaction is already going to be reversed from your account. Refunding after a chargeback has been initiated can result in losing the recaptured chargeback funds money and not being able to recover the refund you just made. If a chargeback is in process, let the process play out even if the customer is requesting a refund directly.
• It’s important to understand that the card issuer is the one making the decision on whether a transaction was valid or not. The processor acts as an intermediately between the card issuer and the merchant, but they do not have any say in how the issuer rules. They will however help the merchant if there is specific technical information requested by the issuer, such as proof that a transaction was swiped, as well as offering customer support through the chargeback process.
• It may not be obvious as to the processor’s entire role in the payment process, but because of the risk of chargebacks, processors are actually acting as a guarantee and lender to a merchant accepting credit card transactions. The processor is completely labile for the cost of a chargeback if the merchant is unable to repay it. So in essence, a processor is issuing a loan to a merchant, every time they accept a card from a customer. It is only after a period of months when the risk of a chargeback goes to zero, that the money actually guaranteed to the merchant.
• Merchants who receive excessive chargebacks can be terminated by card associations, and in some cases are prohibited from accepting cards again in the future, both personally and the business that received the chargebacks. Card associations will levy hefty fines for merchant who continually exceed allowable chargeback levels. Most processors have their own limits but MasterCard will start fining a merchant if they have chargebacks and refunds over 2% or a total of 150 chargebacks in one month period.

Friendly Chargebacks

A type of fraud that has become increasingly common over the past 10 or so years is called friendly fruad. Friendly fraud is where a legitimate customer requests a chargeback to avoid paying for a good or service while at the same time having no plan on returning the product back to the merchant. Because of certain chargeback protections that favor the consumer, this is still something that many businesses experience. In the case of frindly fraud, if a merchant loses the chargeback, they can use the legal system. either by filing a police report, or can use the small claims or regular court system in effort to try and recover either the payment or the goods that were provided. This can be costly in itself, so it’s a good idea to be 100% sure that friendly fraud has occurred and the cost of goods is worth the time and effort to try and recover.

Retrieval Requests

Before initiating certain chargebacks, the issuer may require a copy of the electronic data or copy of the draft associated with a transaction to substantiate a chargeback. If proper documentation is not given to the issuer, the retrieval request will then move into a chargeback status, and depending on the reasoning behind the retrieval request, the merchant may not be able to win if they didn’t reply to the initial request. Treat retrieval requests like chargebacks if you ever receive one.

LINK TO TIPS ON FIGHTING CHARGEBACKS

http://www.nasdaq.com/article/8-steps-to-fighting-chargeback-fraud-cm478603

http://www.merchantequip.com/information-center/articles/prevent-chargebacks-10-tips/

We’re going to start publishing a series of videos on how to accomplish routine functions on credit card terminals, payment gateways, and other processing equipment. The first video in our series is simple but often requested: How to update the date and time on Verifone VX520 Credit Card Terminals. Additionally, this should work on most other VX model credit card terminals by Verifone.

We’ve been receiving a substantial number of enquiries to add PIN debit to existing merchant accounts. We wanted to clear up what is looking to be a new misconception about different types of cards and acceptance methods.

PIN debit is not EMV!

To briefly summarize, being able to accept PIN debit transactions has absolutely nothing to do with accepting EMV transactions.

We are unsure how this concept is getting traction, but suspect it has something to do with EMV being referred to as Chip and PIN in non-US countries. It also may be due to an older pricing scenario where PIN debit was cheaper to accept than debit run as a credit transaction.

Disregarding the cost of obtaining and encrypting a PINpad, which typically runs from about $100 – $500 depending on the equipment, PIN debit and signature debit were regulated by congress several years ago and now carry the same cost to accept, no matter how the debit card is processed. Additionally, when congress regulated the debit industry, they also allowed debit networks, such as Star or Pulse, and others, to charge monthly fees for processing a transaction over their network. What this means is that unbeknown to a merchant, they may end up with a monthly fee for accepting a PIN debit transaction if it is processed over one of these networks, which the merchant has zero control over. In short, it is likely more expensive to accept PIN debit now than prior to the congressional regulation. PIN debit still does carry the benefit of substantially reduced risk of receiving a chargeback, but most retail merchants rarely see chargebacks on debit transactions, so for most this benefit will be negligible.

If you want to accept PIN debit transactions, by all means accept them. Just know that accepting PIN debit is not going to satisfy any requirement relating to EMV migration and there’s a very good chance that PIN debit will cost slightly more in the form of monthly fees from debit networks.

Previously we talked about a few of the lesser known fraud types that many small businesses encounter.

Part 2 of our series on fraud, covers some tips to help identify and prevent the damages from fraud. Many forms of fraud can be prevented by proactive policies and often with common sense. While some schemes are so well planned that even seasoned professionals have a hard time identifying it, many types of fraud follow recognizable trends and can often be prevented. Here are some tips to help identify, prevent, and mitigate fraud.

General (applies to all business types)

• Create a payment acceptance guide / poster for all employees and keep it readily available. This should be a short, easy to read, list of how payments should be accepted. Anything that is outside of these guidelines should be considered against company policy without approval from a knowlegeable supervisor. Keep this as short and concise as possible, it should be something an employee can review in 20 seconds or less. Most fraud will require an employee to deviate from the normal method of accepting a transaction, and this is meant to immediately prevent the lowest hanging types of fraud.
• Talk to your employees about fraud and encourage them to notify you or a supervisor of anything suspicious or simply out of the ordinary with regard to accepting payments. This will keep everyone on the same page, and can help you and your employees develop better practices and a higher understanding of potential threats.
• Do not ever accept an authorization number from a customer or their bank. Only accept authorization numbers generated when you process a transaction or if you manually call into your credit card processor’s authorization line.
• Don’t allow issuing cash refunds on any credit or debit transaction that was processed as a credit card, and do not allow issuing a refund to any card other than the one used to make a payment. Basically, unless the customer entered a PIN number on a PINpad, only credit back to the original card used to make a purchase.
• Be especially vigilant of customers requesting refunds, credits, or abnormal transactions involving prepaid gift cards. Prepaid gift cards work differently from normal credit and debit cards and some issuers have been known to have large security and functional holes in their authorization and funding systems.

Card Present

• If available at your processor, use a terminal that supports EMV, chipped, cards. EMV eliminates fraud occurring from cards that have been electronically stolen and copied to another card. Businesses with unattended card readers such as gas stations will see the greatest benefit from EMV.
• Make sure a supervisor is required for any returns or credits to a credit or debit card. A very large portion of fraud is committed by employees and customers in the form of issuing credits. The money issued during a credit can be difficult to impossible to account for without vigilant bookkeeping practices. Credits should always be strictly controlled.
• When the card is present, always check the back of the credit card for a signature, before asking for ID. If no signature is present ask the card holder to sign the back of the card, then ask for their ID and see if the name and signatures match.
• Although card brands do not permit requiring an ID as condition of accepting a payment, you can still always ask for one to verify the purchaser is the person standing in front of you and whose name is on the card.
• Be especially vigilant of cards that appear to be damaged, potentially altered, or cards where the beginning numbers don’t match the type of card being offered (Generally beginning with 4 for Visa, 5 for MasterCard, 3 for American Express, and 6 for Discover). After printing a receipt, you can also verify the printed card numbers on the receipt match the numbers on the actual card. When thieves make copies of stolen cards, they often encode them onto cards with a completely different number or an entirely different type of card than the one the numbers were stolen from.
• Be critical of situations where a customer’s payment isn’t typical, such as trying to pay with a series of cards that keep declining, refusing to show an ID, refusing to sign their card, etc.

Card Not Present

• Requesting the CVV code helps ensure that the buyer has physically has the card in hand, or at least had it in their hand at one point. Electronically copied cards will not have the CVV number. While not a guaranteed method, it’s a good step to help protect your business.
• Always use the Addresses Verification System (AVS). AVS verifies that the billing information matches what the card issuer has on file by matching both the street number and the zip code. However, AVS does not work with most international cards, so this may not be as useful to merchants who have a large percentage of customers paying with non-US issued cards.
• Any shipments to the customer should be shipped to the billing address when possible, and shipments with a high dollar value should require a human signature with the carrier. While this can sometimes cause convenience problems, it is the best way to protect your business and guarantee that at least a human was there to receive your shipment.
• Only use shipping services, such as UPS or Fedex, that allow you to cancel or reroute an item after it has been picked up. The only thing worse than taking a loss on fraud, is identifying a transaction as fraudulent and not being able to prevent the package from being delivered after it has been shipped.
• Orders requesting expedited or overnight delivery should be scrutinized more than orders requesting ground or other economy shipping. It is common for customers to want their items quickly, but thieves also want to get products in their hands as quickly as possible, and will almost always pay for the fastest possible shipping method no matter the cost. Anecdotally, in more than 15 years of operating ecommerce sites, we’ve never seen a confirmed fraudulent order shipped anything less than 2nd day air, the vast majority are shipping the fastest and most costly method possible, which is typically Next Day AM or equivalent.
• Searching the shipping address of an order in a search engine can often reveal if the order is being shipped to a forwarding address, an empty or for-sale property, or sometimes even just a vacant lot. All of these situations are a major red flag for potential fraud, and should require further review before fulfilling an order.
• Be especially cautious of orders where the buyer changes the shipping address after ordering. This is a common method used to circumvent AVS and other address based screening methods of identifying fraud.
• Online or phone orders where the buyer is indiscriminate about the cost of shipping or cost of the products being ordered should be considered highly probable for fraud.
• Additionally, any customer asking for a catalog and price list when you have everything on a website should be considered suspect as well. Unsolicited requests for prices, product lists, and what payment methods a business accepts, are often nothing more than electronically generated emails from scammers scraping emails off ecommerce sites.

Additionally, take a look at our 30 second fraud checklist for ecommerce merchants.

The information above is to give you a better idea of what you can do to help protect your business from fraud. Training yourself and your staff can go a long way to protecting your business, especially if you continue to keep that training up to date as your business moves forward. New technologies may help businesses limit their risk in some ways while opening the door to other possible threats, so it important that you keep up with, and understand, the relevant practices of fraudsters. Make sure you implement standard operating procedures within your organization so that you have a baseline to judge potential threats against. Fraudsters are not in the business of getting caught, so if they see a business operating in a manner that is not conducive to their success they will often move to another target.

Previously we talked about a few of the lesser known fraud types that many small businesses encounter.

Part 2 of our series on fraud, covers some tips to help identify and prevent the damages from fraud. Many forms of fraud can be prevented by proactive policies and often with common sense. While some schemes are so well planned that even seasoned professionals have a hard time identifying it, many types of fraud follow recognizable trends and can often be prevented. Here are some tips to help identify, prevent, and mitigate fraud.

General (applies to all business types)

• Create a payment acceptance guide / poster for all employees and keep it readily available. This should be a short, easy to read, list of how payments should be accepted. Anything that is outside of these guidelines should be considered against company policy without approval from a knowlegeable supervisor. Keep this as short and concise as possible, it should be something an employee can review in 20 seconds or less. Most fraud will require an employee to deviate from the normal method of accepting a transaction, and this is meant to immediately prevent the lowest hanging types of fraud.
• Talk to your employees about fraud and encourage them to notify you or a supervisor of anything suspicious or simply out of the ordinary with regard to accepting payments. This will keep everyone on the same page, and can help you and your employees develop better practices and a higher understanding of potential threats.
• Do not ever accept an authorization number from a customer or their bank. Only accept authorization numbers generated when you process a transaction or if you manually call into your credit card processor’s authorization line.
• Don’t allow issuing cash refunds on any credit or debit transaction that was processed as a credit card, and do not allow issuing a refund to any card other than the one used to make a payment. Basically, unless the customer entered a PIN number on a PINpad, only credit back to the original card used to make a purchase.
• Be especially vigilant of customers requesting refunds, credits, or abnormal transactions involving prepaid gift cards. Prepaid gift cards work differently from normal credit and debit cards and some issuers have been known to have large security and functional holes in their authorization and funding systems.

Card Present

• If available at your processor, use a terminal that supports EMV, chipped, cards. EMV eliminates fraud occurring from cards that have been electronically stolen and copied to another card. Businesses with unattended card readers such as gas stations will see the greatest benefit from EMV.
• Make sure a supervisor is required for any returns or credits to a credit or debit card. A very large portion of fraud is committed by employees and customers in the form of issuing credits. The money issued during a credit can be difficult to impossible to account for without vigilant bookkeeping practices. Credits should always be strictly controlled.
• When the card is present, always check the back of the credit card for a signature, before asking for ID. If no signature is present ask the card holder to sign the back of the card, then ask for their ID and see if the name and signatures match.
• Although card brands do not permit requiring an ID as condition of accepting a payment, you can still always ask for one to verify the purchaser is the person standing in front of you and whose name is on the card.
• Be especially vigilant of cards that appear to be damaged, potentially altered, or cards where the beginning numbers don’t match the type of card being offered (Generally beginning with 4 for Visa, 5 for MasterCard, 3 for American Express, and 6 for Discover). After printing a receipt, you can also verify the printed card numbers on the receipt match the numbers on the actual card. When thieves make copies of stolen cards, they often encode them onto cards with a completely different number or an entirely different type of card than the one the numbers were stolen from.
• Be critical of situations where a customer’s payment isn’t typical, such as trying to pay with a series of cards that keep declining, refusing to show an ID, refusing to sign their card, etc.

Card Not Present

• Requesting the CVV code helps ensure that the buyer has physically has the card in hand, or at least had it in their hand at one point. Electronically copied cards will not have the CVV number. While not a guaranteed method, it’s a good step to help protect your business.
• Always use the Addresses Verification System (AVS). AVS verifies that the billing information matches what the card issuer has on file by matching both the street number and the zip code. However, AVS does not work with most international cards, so this may not be as useful to merchants who have a large percentage of customers paying with non-US issued cards.
• Any shipments to the customer should be shipped to the billing address when possible, and shipments with a high dollar value should require a human signature with the carrier. While this can sometimes cause convenience problems, it is the best way to protect your business and guarantee that at least a human was there to receive your shipment.
• Only use shipping services, such as UPS or Fedex, that allow you to cancel or reroute an item after it has been picked up. The only thing worse than taking a loss on fraud, is identifying a transaction as fraudulent and not being able to prevent the package from being delivered after it has been shipped.
• Orders requesting expedited or overnight delivery should be scrutinized more than orders requesting ground or other economy shipping. It is common for customers to want their items quickly, but thieves also want to get products in their hands as quickly as possible, and will almost always pay for the fastest possible shipping method no matter the cost. Anecdotally, in more than 15 years of operating ecommerce sites, we’ve never seen a confirmed fraudulent order shipped anything less than 2nd day air, the vast majority are shipping the fastest and most costly method possible, which is typically Next Day AM or equivalent.
• Searching the shipping address of an order in a search engine can often reveal if the order is being shipped to a forwarding address, an empty or for-sale property, or sometimes even just a vacant lot. All of these situations are a major red flag for potential fraud, and should require further review before fulfilling an order.
• Be especially cautious of orders where the buyer changes the shipping address after ordering. This is a common method used to circumvent AVS and other address based screening methods of identifying fraud.
• Online or phone orders where the buyer is indiscriminate about the cost of shipping or cost of the products being ordered should be considered highly probably for fraud.
• Additionally, any customer asking for a catalog and price list when you have everything on a website should be considered suspect as well. Unsolicited requests for prices, product lists, and what payment methods a business accepts, are often nothing more than electronically generated emails from scammers scraping emails off ecommerce sites.

The information above is to give you a better idea of what you can do to help protect your business from fraud. Training yourself and your staff can go a long way to protecting your business, especially if you continue to keep that training up to date as your business moves forward. New technologies may help businesses limit their risk in some ways while opening the door to other possible threats, so it important that you keep up with, and understand, the relevant practices of fraudsters. Make sure you implement standard operating procedures within your organization so that you have a baseline to judge potential threats against. Fraudsters are not in the business of getting caught, so if they see a business operating in a manner that is not conducive to their success they will often move to another target.