Best Practices in Electronic Payment Processing for Web Hosts
We wanted to remind our readers that we will be once again be attending
Hosting Con 2007 in Chicago,
Illinois from July 23 - July 25, 2007. We will be in booth 812 this year.
Also, we wanted to inform you that we will actually be speaking on
Tuesday, July 24 on
Best Practices in Electronic Payment Processing for Web Hosts.
If you have anything that you would like see covered in our presentation, please
contact us and let us know.
PCI Compliancy is an Ongoing Process
Once you are PCI (Payment Card Industry) compliant, you should stay PCI compliant.
Usually, you rely on your electronic payment gateway (Quantum
Gateway,
Linkpoint,
Payflow, Authorize.net/Cybersource, etc) or your IPSP (Internet payment service
provider) to stay PCI compliant. This is a standard that the card associations (American
Express, Discover Financial Services, JCB, MasterCard Worldwide, and Visa International)
created to help maintain and implement the security standards of cardholder data.
Visa updates the list of processors and companies who are PCI compliant on a
regular basis. For example,
Aplus.net and iTransact allowed their
PCI compliancy lapse on May 31,2006 and Cybersource allowed their
PCI compliancy lapse on June 30, 2006. Aplus.net is a webhosting provider
that offers e-commerce solutions. So if you are relying on their network to
be compliant, you might be liable for any breech. Cybersource is an electronic
payment gateway that is used by thousands of merchants. Allowing their compliancy
to expire, even for a few days, should be unacceptable to merchants and customers
who rely on their system to securely process transactions. Of course, these companies
just might be late in reporting to Visa that they are PCI compliant.
Google Checkout
Another company that has allowed their status to lapse is Google Checkout.
They allowed their
PCI compliancy to expire on February 28, 2006. Your credit card data might
not be as secure as you would like to think consumers. Even though Google
is a large corporation, there is no excuse with not complying with the standards
set forth by the card associations. As with Aplus.net, iTransact, Cybersource,
they might just be late in reporting their status to Visa.
Remember, it is your responsibility, as a merchant, to ensure that the provider
you are using is compliant with the security standards. If a service provider
has allowed their PCI compliancy to lapse, you might consider contacting them to
check on the status or switching to a provider that is compliant.
All payment gateways are required to have an on-site security audit annually
and a network scan quarterly.
Merchant Account Reviews
There are scores
of websites offering reviews of merchant accounts. Unfortunately, most of
the websites will usually be one-sided, favoring one merchant account provider
or an agent. If you are in the United States, you have hundreds of
merchant account providers to choose from, and thousands of
agents.
First, remember you will always hear more negative comments about any company
than positive ones. A perfect example is Paypal. You will hear a lot
of negative stories and comments regarding Paypal. Some people will even
claim Paypal is a scam. When something does not go our way, we tend to
complain about it or find others that have had similar situations. The
Internet has allowed those people to congregate on message boards, newsgroups,
etc to share experiences.
You can try your best to look at different websites and get a people's opinions.
Unfortunately, that is all it is - an opinion. The more times you use a
service, your chances increase that something will go wrong. Reviewing a
product or service can be very difficult. Sometimes the reviewer has a
bias already toward the company. Or maybe the reviewer gets other people's
opinions of a certain service since there is not any way the reviewer can test
that product effectively. And usually this is the case.
Each merchant is different. The reviews that you will read will also just
use a certain amount of those services. And it cannot really compare to
your needs.
So what does matter in these reviews? You can consider these opinions
but most people will not give positive comments for a company. What about your money? With
the larger companies (First Data, Nova, Chase-Paymentech), you know your money
is safe. You have a large corporation to back it up. Most agents
will resell for one of these companies (and we have already discussed on how to
choose a United States merchant account provider). Most should be able
to give you a free rate review if you have established processing history.
This review is the important factor. It will allow you to see if you could
save money by changing merchant account providers. And you might be able
to keep the same
electronic payment gateway so your website will not need to be
re-programmed.
Getting Your Money
When it comes to having a merchant account,
getting your money is just as important. Some people might tell you if you
are in the United States and doing more than $1,000 a month, consider a
merchant
account along with an
electronic payment gateway instead of an
IPSP
(Internet payment service provider) like (some versions of) Paypal and
2Checkout.
There are some reasons behind this. Some processors change a minimum fee a
month, maybe $15.00. So if you sold $1,000 of merchandise that month and
your discount rate is 2.29%, that would be $22.90. You have met this
monthly minimum requirement and should have nothing to worry about with this
fee.
In Business to Make Money
Chances are you are in business to make money
though. And chances are, you will doing more than $1,000 a month.
But let's say that is what you are doing. Is Paypal better for you?
Yes and no. It might be cheaper for you when considering the amount of
money they charge. guess what though? Paypal is keeping your money
until you sign into their website and tell them to send it over. Or you
might be able to drive down to the bank and withdraw the money via an ATM.
Either way, it is going to take you some time.
Faster Money with a Merchant Account
With a merchant
account, your money is going to be deposited into your bank account usually in a
couple of days after the
batch is completed.
Let's say you close your batch on Sunday (
usually
before a certain time as well - check with your processor). If all the
programs run correctly, you should have the money in your bank account on
Tuesday.
So you just have to ask yourself is your time worth the $25.00 or so a month you
might be spending for a merchant account? If the answer is yes, then get a
merchant account. If the answer is no, get a Paypal account.
(Keep in mind that we only discussed $1,000 a month in volume. Chances
are, anything over this amount, the scales are going to tilt more in your favor
of having a merchant account.)
Payment Application Best Practices from Visa
High profile breaches of cardholder data have garnered a lot of attention in the
media. Most of us have read or heard about the 40 million cards that were compromised
at CardSystems, or the 100 million cards compromised at TJX. As a result of these
breaches, the payment industry developed the
Payment Card Industry (PCI) Data Security
Standard (DSS). However, complying with the PCI DSS can be complicated and expensive,
especially for smaller merchants. Although we may not read about it in the press,
breaches at smaller merchants occur every day because the payment hardware and software
they use is not compliant with PCI DSS.
In an effort to make compliance with the
PCI DSS a little easier for merchants who
use payment application software, Visa developed the Payment Application Best Practices (PABP). The PABP applies to software
applications that store, process, or transmit cardholder data as part of authorization
or settlement. It does not apply to software developed in-house by merchants since
that would be covered under the merchant’s normal PCI DSS compliance.
Software vendors are required to have their payment applications certified as PABP
compliant by a Qualified Application Security Professional that is employed by a
Qualified Payment Application Security Company. Once compliant, Visa will include
the software vendor and product version in a list of validated payment applications
for one year. Software vendors must re-validate their payment applications each
year to remain on the list.
The PABP mandates are designed to eliminate the use of non-secure/vulnerable payment
applications from the Visa system. They require that members ensure that merchants
do not use applications that retain prohibited data elements and use payment applications
that adhere to Visa’s PABP. If you are using a payment application from a software
vendor that is not PABP compliant then you will not be able to comply with the PCI
DSS.
As of January 1, 2008 new merchants are not allowed to establish a merchant account
using a non-compliant payment application. Existing merchants should check with
their agent or ISO to make sure their payment application is on the list of PABP
compliant applications.
Debit Cards on the Internet
You might have seen some
discounts that are being posted 2.05% or even lower on some merchant account
provider websites. This discount rate is easy to come by if you have
enough volume. Some merchant account providers though are now offering
merchants two rates - often times called a split rate. One rate for debit
card transactions and one rate for credit card transactions.
Split Rates
Split rates might help your
business if you think you have a lot of customers using a debit card. Of
course, it will have to be at least half of your volume to consider making the
switch.
Blended Rates
A blended rate is what most merchants have today, whether you know it or not.
Merchant account providers charge you the same for debit card and credit card
transactions.
For example, let's say the debit card discount rate is 2.05% and the credit card
discount rate is 2.58% . And the blended rate 2.29%. The average
transaction is $50.00 and there are 30 transactions. With a split rate and
consider that half of your transactions are with a debit card, you would be
spending about $34.73. With a blended rate, the charges would be about
$34.35.
Remember, your discount rate is based on volume, not the number of transactions.
As usual, do a little research before switching or signing up for a split rate.
With the small monthly volume listed about ($1,500.00), your charges could be
about $38.70 using a split rate and all your transactions are credit cards.