John Mayleben Blog

Spring cleaning your card processing

Tue, 08 May 2012 12:21:00 GMT

Just like at home, “spring cleaning” has a place in the world of electronic payments.

If you accept payment cards (credit, debit, gift) in your business, you should periodically conduct a top-to-bottom review of everything you’re doing. You will benefit by taking a few minutes to review your systems, equipment and procedures to find areas where you can make improvements, such as reducing your exposure to fraud or becoming more efficient.

The first thing you need to do is make sure you have successfully completed the Payment Card Industry (PCI) Self Assessment Questionnaire. The questionnaire is somewhat like your proof of insurance for your car; you only need it when you renew your license plates or when the police stop you. If you experience a PCI data breach, the card associations will ask to review your document. Failure to have it completed and available creates exposure for which you may be fined by the card associations (Visa, MasterCard and the like).

At Michigan Retailers Association we have set up an online tool that will take you through the SAQ process with “plain English” questions. The end result is that you will have successfully completed the SAQ and the Attestation of Compliance. Part of this tool is also a help desk to answer any questions you have about compliance.

The second thing you should do is to review the procedures your staff members are using when handling card data. While you might understand that long-term storage of card numbers and expiration dates is not a good thing, some of your staff may not. I have had conversations with business owners who developed sound policies around card data protection, only to discover that their staff members were not following those policies. You should watch or listen carefully to what your staff members do with card data. They may be well intentioned, but their failure to follow set policies will create an exposure for you as the business owner.

The last part of spring cleaning should be a review of your equipment and processes for handling a customer’s card transaction, with an eye toward how you might make improvements. In some cases the changes will help you lower your processing fees; in others it may help you become more efficient. Some things to consider and questions to ask yourself:

1. Do I have the appropriate terminal to handle today’s cards? Some of the terminals that merchants are still using have been around for 20 years. The technology on handling a transaction has changed in the last two decades, so maybe it’s time to upgrade your terminal.

2. If I have a terminal, do I still need a phone line? In the last 5-10 years, all of the terminal manufacturers have developed terminals that plug into your computer network via Ethernet instead of a phone line. In some cases, the conversion to this type of device will allow you to eliminate a phone line, which can save you $30-$50 per month.

3. Do I even still need a terminal? In the last 10 years we have seen the development of web-based “terminals” that enable you to run a transaction (both card not present or face to face) without having a terminal in your store. This will dramatically limit the scope of your PCI compliance conversation mentioned earlier.

It is always good to take a minute and work “on” your business and not “in” your business. A spring cleaning for your payment card system may be a good way to start.

If you have any questions about these spring cleaning tips, your merchant processing customer service desk can help you with answers.

John Mayleben CCP is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing. He is the first person in Michigan and among the first in the nation to receive the Certified Payments Professional designation from the Electronic Transactions Association.

Downside of Remote Access

Wed, 21 Mar 2012 18:06:00 GMT

If you have the ability to access your computer system from an offsite location, the use of the technology that provides you “remote access” is usually a godsend. It can eliminate the need to drive back to your office or store to solve a problem there. It also saves time in case your computer or POS vendor needs to run an update or solve a more significant issue.

But there is also a serious potential downside.

Because remote access is, in essence, a back door to get into your system, the bad guys also can get in under the wrong circumstances and create mischief or cause you serious financial damage.

If they do get in, chances are it is not because of something you have done (other than giving keys to trusted vendors or other “partners”), but something that one of those “partners” has done.

In more and more cases, retailers using POS cash register systems that also handle merchant processing transactions have had data breaches because a “bad guy” hacked the system of one of their vendors.

How do bad guys gain entry to your system from your vendor’s? The hacker lurks on the vendor’s system until the vendor accesses your system for a legitimate reason. And when the vendor does that, it’s like giving the bad guys a copy of the keys to your back door. At some point in the future, the hacker will enter to create havoc.

In one recent case, a retailer’s system was accessed in just that manner, and the retailer ended up with about 2,000 card numbers exposed. When that happens, unfortunately, the card associations look to the retailer for compensation because the retailer is the “merchant.” Any contract the retailer has with the vendor does not normally include the card association.

What that means is that the retailer, in most cases, ends up paying the bill and having to collect from the vendor — but only if the retailer’s contract with the vendor allows for that. In some cases, because the bad guys don’t usually “hack” just one system, the vendor ends up with hundreds of client data breaches.

If you have a POS system that allows for remote access, you should talk with your IT specialists to determine the best way to protect your data from this type of hack. You should also review the business case for each point of remote access and ask yourself, “do I really need this turned on?” In some cases you may find that the risk is simply too great.

The risk is great because the cost of one of these data breaches can easily run into the tens of thousands of dollars.

In today’s economic climate, most businesses would have trouble coming up with that kind of money – most commercial insurance doesn’t cover that type of loss. In the case of merchants who process with Michigan Retailers Association, we automatically provide (as part of the normal monthly fee you pay for merchant processing) $100,000 worth of data breach coverage, just in case “bad things happen to good people.”

Even if you process with MRA you should still have that conversation with your IT folks. If you process elsewhere and don’t have this kind of data breach coverage, you should ask about it right away or give us a call.

John Mayleben CCP is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing. He is the first person in Michigan and among the first in the nation to receive the Certified Payments Professional designation from the Electronic Transactions Association.

Chip Cards Are Coming

Fri, 27 Jan 2012 20:41:00 GMT

When it comes to credit, debit and other electronic payment cards, the good ’ol technology-savvy U.S. actually has been quite backward.

For years, the rest of the world has moved from the traditional, old-fashioned, mag stripe (that black, magnetic stripe on the back of a credit card) to a more secure solution that involves a small computer chip imbedded under the surface of the card. This evolution has left only the U.S. (and most of its territories) as the remaining holdout.

And not only is the U.S. out of step, its delay has made our part of the world a bigger target for fraud artists. Because the chip cards are harder to counterfeit, the bad guys have been “pushed” toward cards over here.

But all that is about to change.

Visa recently changed its policy on “chip” or EMV cards here in the United States, and it impacts merchants in a big way. (EMV stands for “Europay, MasterCard, Visa” and is the standard that was adopted for chip cards.)

Visa announced that effective July 1, 2015, any merchant that processes at least 75 percent of its transactions through a terminal that is EMV (both contact and contactless) compliant will be able to shift chargeback liability back to the issuing bank if that bank does not issue chip cards.

As most merchants know, the majority of the chargeback risk today is borne by the retailer. So the offer of a “get out of chargeback liability free card” is a pretty big carrot to wave in front of merchants and a huge incentive for moving them to accept EMV cards.

The assumption with this sea change, of course, is that issuing banks will move quickly toward issuing new cards with the EMV chip embedded in them.

The new cards will change the way a merchant processes a transaction. A chip card is “dipped,” not swiped, through a terminal and has to be left inserted in the terminal during the transaction. Once a transaction has been processed, either a signature or a PIN number is required to complete it.

Currently, transactions in the rest of the world are handled with a PIN number, but at this point the card networks in the U.S. have not announced whether a PIN number will be the standard here.

To qualify for the shift in chargeback liability and to be able to process these new cards, merchants will need to either add a peripheral device to their terminals or, in some cases, upgrade their credit card devices. Once all these coming changes are solidified, your merchant-processing provider should be communicating with you about choices available to you.

If you have questions, you should contact your merchant processing help desk.

John Mayleben is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing. He is the first person in Michigan and among the first in the nation to receive the Certified Payments Professional designation from the Electronic Transactions Association.

Changes coming to gift cards

Thu, 15 Dec 2011 15:27:00 GMT

As consumers increasingly have embraced Visa- or MasterCard-branded gift cards, the card networks have become more concerned with the “user experience” at checkout and the impact of shoppers not knowing the balance remaining on their card during the process.

As you might expect, if the consumer brings $100 worth of merchandise to the counter and presents a gift card with only a $25 remaining balance, the transaction currently is declined at the point-of-sale terminal because $100 is more than the “credit limit.” The consumer is then presented with a dilemma. Does the consumer become embarrassed and try to explain to the clerk why there isn’t enough value on the card, or does he or she simply provide a different form of payment (which may not be the same “flavor” as the gift card), or abandon the transaction at the cash register?

None of these options is considered good, and the card networks have come to the conclusion that a “partial authorization” solution is needed.

That’s why as terminals or software is upgraded, the transactional experience is being modified. The new systems are “partially” authorizing the transaction and alerting, in different fashions, the clerk to collect the remaining amount via a different payment choice.

While helpful to the consumer, this split-tender transaction could become problematic if you don’t properly train your staff.

Most retail cashiers are used to a receipt printing and asking the consumer to sign it. But they don’t expect a receipt to print for a partial amount. If a clerk simply assumes that a transaction that generates a receipt is complete, the clerk could be releasing merchandise with only partial payment.

Some of the terminal manufacturers and software providers are prompting the sales clerk with a warning message prior to printing the receipt, but not all of them handle the partial authorization this way. You should make sure that you understand how your terminal is handling this partial authorization and make sure that your staff is properly trained.

In the future, partial authorization will be extended to debit cards and credit cards. So while this may be a small issue today, it will grow over time.

If you have specific questions about partial authorization, you should contact your merchant processing vendor’s help desk.

Do the bad guys have your number

Wed, 23 Nov 2011 15:23:00 GMT

Most of us hear about the really big data breaches that hit large retailers, governments and health care facilities. They make national news when they occur. But what we don’t hear about are all the “little guys” who increasingly are becoming the targets of cyber thugs.

For a number of years the small and medium size businesses that accept cards as a form of payment were flying under the radar of the bad guys. But as large businesses have tightened up their card data handling procedures and bad guys are having a more difficult time hacking into their systems, the smaller companies have started to attract unwanted attention.

More and more of these smaller businesses are seeing hacking attempts and, in some unfortunate cases, successful theft of cardholder data. According to the U.S. Secret Service and Verizon Communications, Inc.’s audit unit, there were 761 known breaches in 2010, up from 141 in 2009. Of these, 63 percent (482) were from companies with 100 or fewer employees. Visa has estimated the majority (95 percent) of the data breaches it now handles are from small and medium size businesses.

A recent news story in the Wall Street Journal illustrated the negative impact that this could have on your business. In one case, a restaurant in Washington State ended up going out of business due the cost of the audit and expense of cleaning up the mess from its data breach.

In another case, a Chicago area newsstand hacked by someone using a Russian server ended up spending $22,000 on “investigations and security improvements.” The initial problem was traced back to weak password security.

In both of these cases, the businesses were very small compared to the data breaches you hear about on the evening news. Could your business, even in the best of times, absorb a $10,000–$20,000 hit to the bottom line?

Realizing that small businesses look to their processors for assistance, last year we started providing automatic insurance coverage for data breaches for all of our merchants. For merchants that process their credit card transactions with us, we provide $100,000 in insurance coverage per merchant identification number (MID) (with a maximum of $500,000) as part of their monthly statement fee.

This insurance will cover the audit, the fines from the card associations and the costs to reissue the cards that were compromised. If you aren’t using a processing solution that provides this coverage, you should either contact your insurance company to explore getting a policy that would cover you, or consider changing to a merchant processing solution that covers you for this type of event.

More and more large companies are “cleaning up their act” when it comes to protecting card data. While that’s good, it has moved small and medium size businesses into the bad guys’ crosshairs.

Are you protecting your data, and are you insured against a breach?

John Mayleben is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing.

Guard credit card data like cash

Wed, 23 Nov 2011 15:26:00 GMT

While waiting in line at a local fast food restaurant recently, I noticed a sign that you would normally only see in the breakroom or on an employee bulletin board out of sight from the customers.

It was titled (in the giant-sized headline usually reserved for major news events) “Credit Card Fraud is a Federal Crime” and went on to advise the employees of this chain of restaurants that capturing, or “skimming,” a card number from a customer’s card is a crime, even if you don’t use the card number to purchase something.

The simple act of skimming the card number with the intent to sell or give it to a bad guy can result in a 10-year sentence at the federal level, plus other state laws may also apply.

This notice reminded me that, much like shoplifting, you can’t just work on protecting your company from outside bad guys. The sorry fact is that you also need to look inward to make sure you have appropriate procedures in place for staff.

As with theft of merchandise, the inside job will probably result in a higher loss and go on for a lot longer.

If you have not already done so, you should take a minute and watch what happens to a credit card transaction within your business and see if you can determine weak points in the process.

You should be watching for points where card data are left “alone” with just one person. Does the employee take the consumer’s card (or the card information in a non face-to-face transaction) and have time to secretly record this data?

While most transactions in a face-to-face environment occur in front of the consumer, and in theory the consumer is watching the card during the transaction, some don’t. These include a drive-through shopping experience or a sit-down restaurant.

Some businesses offer shopping experiences where there may be a time that the customer is not near the credit card terminal during the transaction. If your business model has these types of situations, you should be even more alert to behaviors of staff members and to calls from cardholders indicating anomalies with their cards after purchasing something from your store.

In one recent case, a retailer hired a staff member who was fluent in a second language to handle calls from customers who did not speak English. Knowing he was the only employee who spoke the other language, the employee decided to steal card data only from customers who spoke that language. He knew that any complaints would be routed through him for translation, and he could control the situation.

Think of card data as cash. You have systems and procedures in place to control access to cash, and you should be doing the same thing with card data!

John Mayleben is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing.

Never wire money as part of a retail sale

Wed, 23 Nov 2011 15:27:00 GMT

“Never say never” usually holds true in life, but in the case of handling a MOTO (mail order/telephone order) transaction as a retailer, you should never wire money to someone.

Let me repeat, because it’s that important. Never wire money to someone as part of a retail transaction.

With the Great Recession of 2009-10 has come a marked increase in the number of merchants who are being taken advantage of by fast-talking scam artists who want something for nothing.

The scam usually starts innocently enough. You get a nice size order for products or services from an unexpected source. The story seems legitimate and fits your business model.

After the bad guy has set the hook, he suddenly “discovers” a problem that can be “solved” with the help of you, the merchant. Usually it is for shipping or for other services; the problem has even been to help the “customer” with customs (for an international order) or tax reporting.

The solution to the customer’s problem is for you to run another transaction and wire the money to another person or company.

These scams are limited only by the imagination of the scam artist and the gullibility of the merchant. Here are some real-life examples:

• A jewelry store customer requests a custom diamond ring, but needs part of the purchase price rebated to cover shipping and/or duty;
• A car dealer customer is interested in purchasing a unique used car, but needs part of the purchase price rebated to handle the shipping of the car;
• A granite memorial customer is interested in purchasing a custom headstone for a dead relative, but needs a portion of the purchase price rebated to facilitate delivery and installation;
• A tire dealer customer wants to purchase four racing tires, but wants them shipped to the racing event and requires a special shipping method;
• A B&B owner receives a request to “rent” the entire facility for executive meetings, but requires the use of an interpreter and needs the separate services to appear as one transaction for tax reasons.

As you might expect, the person or company receiving the wired funds is a partner in the crime being committed. The scam artist has no interest in the actual item or the service, just the wired money.

If you receive an order that follows this track, do not wire money. Ever. Once you wire the money (via Western Union or similar service) it is gone forever, because there is almost no way to get it back. The bad guy has your money, and the credit card transaction will become a chargeback with you holding the bag.

If you ever have doubts about a transaction, call your help desk. They have probably seen or heard of the scam before and can offer sound advice. Remember, a sale that turns into bad debt is not a sale, it is just bad debt.

John Mayleben is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing.

Smartphone app lets you process card transactions

Wed, 23 Nov 2011 15:29:00 GMT

My last column focused on recent and coming changes in the size, shape and look of the credit cards you handle as a merchant. Now let’s take a closer look at another big change: a new and highly portable way to process some card transactions.

With the growth of the “smartphone” marketplace, we are seeing more and more merchant processing solutions oriented toward merchants who could benefit from turning their phones into credit card terminals.

Michigan Retailers Association, as one of the nation’s oldest non-bank solution providers in the merchant processing arena, is always looking for ways to help our members speed up the transaction process and save money. That’s why we’ve checked out what’s available and have come up with the best smartphone solution for our members, one that saves them time and money.

More about that in a moment. But first, some background.

Years ago, the card associations (Visa, MasterCard) and their issuing banks established a tiered pricing model that, for security reasons, penalized merchants who weren’t able to swipe a card. In some cases (towing, deliveries, outside salespeople), the merchant or the employee had the card in hand but not at the same time as there was access to a terminal.

Those merchants ended up paying a higher rate for a transaction that really was “face-to-face.” Most of those cases involved calling back to the home office for an “approval” number or taking the chance that an approval could be secured at a later time. The problem was, the first dramatically increased the time of the transaction, and the second created risk to the merchant.

A number of years ago, terminal manufacturers designed terminals that had cellular modems. But they were expensive and designed to be single function devices. While some merchants saw value in these units, many did not.

Now, with the increasing number of smart phones in use and the dawn of the “app store” for distributing software, a successful alternative has been created.

We are now able to use a magstripe reader that slides onto your iPhone (3G, 3GS, or 4) and that, with the accompanying software, allows you to process a swipe transaction, collect a digital signature, and email the receipt to the customer.

In addition, you have access to a “virtual” terminal from any computer that can get you to the Internet in order to process other transactions (credits, voids, etc.) and run reports.

We’re excited about this new technology as a way to help our members increase their capabilities, boost efficiency and reduce costs.

To see a demonstration of this new solution, please contact your Michigan Retailers Association regional marketing representative. Your rep can discuss or demonstrate how the equipment and software work and the benefits to your specific business.

John Mayleben is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing.

New look for credit cards more than a fancy facelift

Wed, 23 Nov 2011 15:32:00 GMT

What is happening to credit and debit cards?

After many years of forcing banks to adhere to standard formats for designing cards, the card brands (Visa, MasterCard) have loosened up on their requirements. This has allowed issuing banks to get a little more creative in the way they design the “look” of a card.

If you accept cards though, the changes can be more than just cosmetic.

First, Visa now allows a card to be printed vertically (portrait) instead of the more traditional horizontal (landscape) orientation. While this by itself is cause for little more than a minor discussion about design, another change has a significant impact on merchants who accept cards.

That’s because Visa also allows an issuing bank to laser print the cardholder name and information on the front of the card. If you, as a merchant, use an old style imprinter (aka, “knuckle buster” or “zip zap” machine), you will not be able to accept these cards without handwriting the card information.

Similarly, if the magnetic stripe is damaged and you have to hand key the card information into your electronic terminal, you will not be able to complete the manual imprinter slip properly. While you will still be able to get an authorization code in either of these two scenarios, the failure to collect an “imprint” of the card information opens you up to a possible chargeback, which you will lose every time.

Since these non-embossed cards do not allow for manual imprinting, businesses without terminals, or with cards that can’t be swiped, should ask the consumer for another form of payment. In these cases the cardholder will probably not understand why the card is being refused. The cardholder should be directed to the issuing bank to get a replacement card. The bank’s phone number is located on the back of the card.

The other change that has been happening slowly over the last few years is the migration of the hologram to the back of the card. The hologram is an important fraud protection device on each card.

In the past, the card brand hologram was located along the line of the account number so that the number was embossed right through the hologram as a way to deter counterfeiting of the cards. With the changes noted above, this is no longer needed, but the card hologram still serves as a way to make counterfeiting harder.

As always, businesses that process through MRA should call our customer service department with any questions brought on by the new-look cards.

John Mayleben is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing.

Be vigilant — the world is full of scammers

Wed, 23 Nov 2011 15:34:00 GMT

A number of news stories and some recent personal experiences illustrate why everyone in the electronic transaction payment loop needs to be paying attention to how his or her behavior can impact data security.

My teenage daughter and I started looking for a used car for her a few weeks ago. We went to all of the usual sources, including the local newspaper and the Internet.

On more than one occasion, after finding a car that fit our needs and my daughter sending off an email, the response came back — oddly — from someone who had moved overseas or was a member of the armed forces or had experienced a death in the family or the loss of a job. In all cases, they wanted me to wire the money and they promised to send the title after receiving payment.

I was able to use this as one of the (rare) moments when you can pass on a little knowledge to your teenager. Obviously, these were fraudulent situations just waiting for someone to send money.

Although skeptical of my suspicions at first, my daughter soon came to see — as the number of similar replies mounted up — that it really was a scam.

Recently, a major international retailer was the victim of another “good story.”

Someone called one of the retailer’s 24-hour locations at 1 a.m. and convinced the customer service desk clerk that the caller was from the retailer’s internal IT department and was doing some testing of the systems. The caller needed some “live” gift card account numbers activated and the corresponding “secret codes” located under the scratch-off section.

The caller ended up getting $11,000 worth of gift cards that had been activated and were able to be used at other locations before the morning shift arrived and realized what had happened.

The last situation recently came to light through a published story about another scam — a hardware “hack” of a multistate retailer. In this case, authorities suspect that a ring of thieves was going into stores and distracting the employees so that they could “swap out” the customer-facing payment devices (the retailer operates in a multi-lane environment within each of its stores). With the new terminals in use, they were able to sit outside the store with wireless computers and get copies of all the card data and PIN numbers (this retailer did not accept credit cards, only PIN debit).

In all three cases, the common theme is “Knowledge is Power.” Whether it is your teenager, your sales clerk covering a late shift, or your store manager, make sure everyone understands the importance of watching for the unusual. Just as important is to make sure everyone knows it is okay to question these unusual situations.

The world is full of scammers. We all need to be vigilant in protecting our customers’ data and our own resources.

John Mayleben is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing.

IRS moves will impact credit card merchants

Wed, 23 Nov 2011 15:35:00 GMT

IRS moves will impact credit card merchants

The Internal Revenue Service recently announced it will begin issuing prepaid debit cards to some taxpayers on a trial basis in 2011 instead of mailing them refund checks during the tax season.

This could create more traffic around tax time in retail stores that accept debit card payments.

The pilot program is designed to make it easier for Americans without savings and checking accounts to get access to their income tax refunds. The IRS says too many recipients are forced to use “high-cost alternative financial products,” such as check-cashing and similar services that eat into their refunds.

The government estimates there are 30 million Americans without bank accounts or with accounts that don’t meet their needs.

Another, perhaps “more taxing,” IRS change involving businesses that accept credit and debit card payments comes as a result of the U.S. Housing and Economic Recovery Act of 2008.

The legislation was one of the responses to the recent financial crisis and, as a way to fund it, Congress directed the Internal Revenue Service to make sure all merchant processing transactions are appropriately reported as “income” to a business and, therefore, taxed.

Starting in January 2011, all credit card processors (such as Michigan Retailers Association) must report individual business transaction volume to the IRS along with the merchant’s TIN (Taxpayer Identification Number). That also means virtually every merchant will be receiving a 1099 form from the processor at the end of 2011 showing the transaction volume that was processed.

If a merchant does not provide an accurate TIN, the credit card processor is required to withhold 28 percent of the processing volume and remit those funds to the IRS. Clearly, this is something that both processors and merchants want to avoid.

For those businesses that use MRA for processing transactions, you should know that we are working on creating a method of confirming that everyone’s TIN and legal name are accurate, in order for MRA to avoid the withholding requirement.

A third important change you should know about also comes in response to recent federal legislation — this time health care reform. Merchants who sell products or services that could be paid for with a FSA (Flexible Spending Account) card will need to review the changes scheduled to take effect January 1, 2011.

FSA cards are tied to tax-favored accounts, such as Section 125 Flexible Spending Accounts, Health Reimbursement Accounts, and Health Savings Accounts. After January 1, a number of items previously allowed for reimbursement via a FSA card will no longer be allowed.

Most, if not all, over-the-counter medications (except those “prescribed” by a doctor) will be eliminated from the list of eligible items. For those people with a prescription for an over-the-counter medication, they will need to pay for it and seek manual reimbursement.

As you can see, January will usher in a new year and important new changes by the IRS.

John Mayleben is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing.

New law lets you set minimum purchases

Wed, 23 Nov 2011 15:37:00 GMT

As a result of the nation’s economic turmoil, Congress has been working to put new safeguards in place to prevent future financial failures. While we might argue over whether these efforts will be successful, lawmakers have enacted at least two significant pieces of legislation that impact all merchants who accept credit or debit cards.

The first is legislation that addresses overdraft protection and how a consumer elects to participate in his or her bank’s program. The second new measure involves everyday transactions using credit or debit cards.

In the first situation, a number of banks ran “opt-out” programs that automatically enrolled a consumer in overdraft protection unless he or she chose not to participate. Automatic enrollment is now prohibited, and a consumer must “opt-in” instead.

So what, you say? The unintended consequence of this change is that fewer consumers are signing up for the coverage, with the result that consumers who use their debit cards may see more “declines” at your cash register, even though they have money in their bank account.

Customers who don’t understand the reason for these declines may take out their surprise and disappointment on you or your employees.

For example, if a consumer rents a car while on vacation, the car rental company will charge the card the rental rate plus authorize the card for a deposit in case the car isn’t returned or is damaged. This authorization is held against the customer’s account balance, even though it’s likely the card will never be charged for that amount. If the consumer then comes to your business and attempts to use his or her debit card, it could well be declined. In the past, with overdraft protection automatically in place, the bank had a safety net and would approve the transaction.

Unfortunately, there is not much you as a merchant can do in these situations, other than attempt to educate your customers, especially if you are in a situation where you are using a card transaction for a security deposit.

The second big — and most far-reaching — legal change is the “Durbin” amendment on credit/debit transactions. There are a number of pieces to this legislation still working their way through the regulatory process in Washington, but three of the changes have an immediate impact on merchants.

First, any merchant who accepts credit is now allowed to establish a store policy setting a minimum purchase for a transaction. This minimum cannot exceed $10 and needs to be clearly posted and communicated with customers prior to ringing up their transactions. This minimum can only apply to “credit” cards and does not apply to PIN debit or signature debit cards. If you establish this policy, you will need to make sure your staff are trained in how to identify a credit card so that you are in compliance with these regulations.

The second piece of the Durbin amendment that you can implement immediately is that you as a merchant can steer a debit transaction to a lower-cost processing solution. While you have no real control over a customer who insists on using a debit card as a signature debit (and therefore running the transaction on the Visa or MasterCard network), if you are set up for PIN debit you can encourage the customer to use his/her PIN number — which may be processed at a lower cost to your business.

The third immediate change allows you as a retailer to provide a discount to a customer electing to use a lower cost processing solution. You have always had the ability to offer a cash discount, but now you can offer a discount based on the type of card used. The only requirement is that you treat all similar cards equally.

For example, you might establish a 3-percent discount for cash, a 2-percent discount for PIN Debit transactions, and a 1-percent discount for signature debit transactions.

As the payments landscape continues to change and other parts of the Durbin amendment are put in place, we’ll make sure to update you on the new requirements.

John Mayleben is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing.

All merchants must show data security compliance

Wed, 23 Nov 2011 15:39:00 GMT

All businesses that accept credit or debit cards are now required to attest in writing that they are not storing prohibited data and that, if they store certain “protected” data, they have appropriate security systems and procedures in place.

As of October 1, when a new version of the Payment Card Industry Data Security Standard (PCI-DSS) went into effect, businesses must complete and have on file a compliance certification. In the past, small merchants were expected to complete the questionnaire but did not have to have paperwork on file. An acquirer, processor or card association may request to see the certification in the event of a security problem or question.

For most small businesses, certification will consist of a completed Self-Assessment Questionnaire and Attestation of Compliance (SAQ). Forms are available for download here. You will need to select one of four SAQs depending on how you process transactions.

Let’s look again at what you will attest. “Prohibited” data may not ever be stored after the transaction has been settled with the processor. Prohibited data include the full magnetic stripe data (specifically the CVV or CVC code) and the CVV2/CVC2 code.

The CVV/CVC code is a unique three-digit code that is only on the magnetic stripe and allows the card system to validate that the swiped card is not a counterfeit.

The CVV2/CVC2 is commonly called the security code and is printed on the back of the card, near the signature (but does not appear on the mag stripe). The CVV2/CVC2 code is used during a “card not present” transaction—for example, with telephone or Internet orders—to verify that the customer actually has the card in his or her possession.

“Protected” data include the card number, the expiration date and the customer’s name when stored together. If you determine there is a business case for it, you are permitted to store this data.

If you do so, however, you are required to certify—as part of your business’s PCI compliance certification—that appropriate security systems and procedures are in place to protect it. Truncated card numbers do not fall under these rules.

Most businesses, once they fully consider the risks, determine that they don’t need to store this information.

The self-assessment questionnaire is designed to help business owners review their business practices and make sure that they are not violating the card association standards. They should also review these procedures with staff since there may be staff members who are collecting or storing data inappropriately without the owner’s knowledge.

Regardless of who collects it or why it is collected, the business is responsible for the personal information collected from customers.

John Mayleben is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing.

PCI is here! PCI is here!

Wed, 23 Nov 2011 15:41:00 GMT

While it might not be as exciting as the number of lanterns in the belfry of Boston’s North Church and Paul Revere’s famous pronouncement the British were coming, we have passed the deadline for level 4 merchants to have completed their PCI (data security) certification. Level 4 merchants are those who process less than one million card transactions for each of the card brands (Visa, MasterCard, Discover, American Express).

As a level 4 merchant, you must complete a self-assessment questionnaire and confirm (attest) that you are not inappropriately storing cardholder data. You must also document that you are adhering to the 12 core principles of PCI-DSS:

• Install and maintain a firewall configuration to protect data

• Do not use vendor-supplied defaults for system passwords

• Protect stored data

• Encrypt transmission of cardholder data across public networks

• Use and regularly update anti-virus software

• Develop and maintain secure systems and applications

• Restrict access to data by business need-to-know

• Restrict physical access to data

• Assign a unique ID to each person with computer access

• Track and monitor all access to network resources and cardholder data

• Regularly test security systems and processes

• Maintain a policy that addresses information security.

In addition to reviewing these 12 principles, you should take a minute and watch how your staff is handling customer transactions. A number of merchants, when pushed to review their various procedures and processes, have discovered that cardholder data are being inappropriately stored, handled or transmitted.

Usually the reasons for these outdated procedures made sense at some point in the past but now simply create an exposure for the business owner.

None of us wants a data breach. The negative impact of publicity, the cost of remediation, and the fines from the card associations are just a few of the reasons. In one case involving a restaurant (not one of our merchants), the business owner ended up spending about $40,000 to respond to and resolve a relatively small data breach.

Information about these 12 core principles and the different self assessment questionnaires can be found on www.retailers.com under the “forms” tab. Please make sure that you take a minute and review the process of certifying that you are PCI Compliant. Once you have done that, take time to complete the SAQ and safely store the SAQ in your files.

John Mayleben is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing.

Two pitfalls of processing

Wed, 23 Nov 2011 15:42:00 GMT

Two issues regularly come up when I speak with businesses that accept credit cards: return policies and charging more for credit than for cash payments. Both of these questions are addressed in the merchant agreement that you completed with your credit card processor.

If you accept payment for goods or services via credit card and you have a specific return policy, your policy must be stated on the sales draft within close proximity to the signature prior to the consumer signing the sales slip.

If you use an electronic printer, your merchant services help desk can arrange to have the appropriate language programmed.

If you choose to accept a return after you have processed a sale, you should process a “credit” through your terminal, using the same credit or debit card that was used at the time of purchase. In this way you maintain the “paper trail” in case the customer attempts to dispute the original transaction.

If you have issued a cash refund and the customer then contacts the card-issuing organization, you may face a chargeback because you would not be able to document that you have issued a refund.

Surcharges
I’m frequently asked “can I charge a fee to a customer who wishes to pay with a credit card?” The short answer is no. All card-processing agreements prohibit a surcharge on credit card transactions.

Merchants are allowed to offer a cash discount, however. The distinction is this: the published price (in ads, on signage and on price tags) must be the price charged for credit transactions.

Selected industries are allowed to collect a “convenience fee” for payments. Convenience fee rules were designed to allow government entities to accept cards for things like property taxes and other fees.

John Mayleben is Michigan Retailers Association senior vice president, technology and product development, and a national expert on electronic payment processing.