Account Verification with a Zero Dollar Value authorization request
Posted on Tuesday, June 09, 2009 by Bryan Johnson
We've been getting a lot of questions about Visa's new Account Verification service. Hopefully this will help clear things up a little.
For years, card not present merchants (ecommerce, phone, fax, mail) have needed to verify a cardholder's information upon acceptance when there was a delay between collecting the credit card data and actually charging the card. For example, a merchant may collect the credit card information during the initial sign up process but offer a 30 day trial period before charging the card. In this situation, it's in the best interest of the merchant to verify the cardholder's information including the credit card number, expiration date, address and CVV value for accuracy and legitimacy. The only way of doing this today is by doing a $1.00 authorization (Visa refers to these as Ghost Authorizations). While the authorization does eventually expire, some banks will show the pending $1.00 authorization which leads to merchants inevitably getting support questions regarding an improper charge.
Visa's new Account Verification program is an alternative to the $1.00 authorization. With this program, a merchant will be able to do a Zero Dollar Value authorization request which can include Address Verification (AVS) and CVV verification. MasterCard has as similar verification process for card not present recurring billing merchants with a $1.00 'test transaction'. Visa is charging for this service but MasterCard is not.
Interestingly, according to Visa, the problem that merchants have was not the primary driver behind creating the Account Verification program. Visa is trying to eliminate $1.00 authorization request because it has a negative impact on cardholder spending. For those us who live in the space and deal with the shortcomings and problems caused by the $1.00 auth, we're pleased with the creation of the Account Verification product whether we (merchants and service providers) were considered or not.
Related posts:
Visa Misuse of Authorization
Visa Acquirer Processing Fee (APF) and MasterCard Network Access Brand Usage Fee (NABU)
Posted on Monday, June 08, 2009 by Bryan Johnson
Increasing fees for existing users of a product or service is never an easy thing. While there is rarely a perfect time to raise prices, there certainly are some times that are better than others. In the midst of some of the most intense dialogs that have taken place over credit card interchange, the fees that merchants pay the issuing banks to accept credit cards, Visa and MasterCard have announced one of the largest fee increases in years. The timing of their fee increase could possibly be written up in a case study as an example of what not to do.
Starting on July 1, 2009, Visa is introducing a U.S. Acquirer Processing Fee (APF). The fee will be $0.0195 on all Visa branded authorizations acquired in the U.S. regardless of where the issuer/cardholder is located. On April 18, 2009, MasterCard implemented a new Network Access and Brand Usage (NABU). Fee of $0.0185 for all U.S. based sales and credit/refund transactions.
For merchants that have a larger average ticket of $150, the Visa fee increase is pretty insignificant and amounts to 1 basis point (100 basis points = 1%). For a lower average ticket of $15, it amounts to a more significant 13 basis point increase.
The timing of the fee increase, while bad, may have been strategic in the wake of all the congressional activity surrounding the credit card reform that passed last month. I'm speculating, but I wonder if both Visa and MasterCard, facing some legislative risk, were trying to re-anchor the pricing discussion at a higher starting point in case congressional mood were to turn in favor of the groups lobbying for action. Alternatively, the fee increase could have had nothing to do with this 'chatter' and was fueled by that fact that both are now a public companies and need to take care of their shareholders and stock prices.
I spoke to a Visa representative recently at an industry conference and asked about the fee. I was told that they were increasing the price to more fairly align value created and price. Even if that is the case, and it's quantitatively supported, they need to do a better job selling these measurements with everyone actively engaged in the interchange pricing debate.
Visa Misuse of Authorization
Posted on Monday, May 18, 2009 by Bryan Johnson
Starting October 1, 2009, Visa will start assessing a 'misuse' fee for authorizations that are not either settled or reversed within certain timeframes. Visa refers to these as 'ghost authorizations'.
In the past, merchants frequently performed a $1.00 authorization only (without settlement) for verification and to retreive address verification (AVS) and CVV match or mismatch information. Visa explains that they're trying to reduce ghost authorizations because they restrict a cardholders ability to buy and increases declines.
Here is what merchants will need to do in order to comply with the new processing guideline and avoid the misuse fee. Card present authorizations must be reversed within 24 hours that have been submitted in error and/or cardholder cancelled. For card not present transactions, full or partial authorization reversals must be processed within 72 hours. Settlement must occur within 10 days of authorization for all merchants except Travel and Entertainment segments, which must clear within 20 days of authorization regardless of transaction date.
Visa has stated that they will be monitoring ghost authorizations and reversal levels to prevent abuse of the system and even levying fines in excessive cases. They've not revealed any thresholds or fine potential details.
As an alternative method to verify cardholder data, Visa has introduced Account Verification which will allow for a Zero Dollar Value authorization request and can include AVS and CVV data. MasterCard has as similar verification process for card not present recurring billing merchants with a $1.00 'test transaction'. Visa is charging for this service but MasterCard is not.
Yet obstacles remain with the implementation of these new changes. Many of the larger processors do not support authorization reversals and some don't have an ETA yet on supporting Visa or MasterCard's Account Verification services. Many of the the Visa and MasterCard issuers (financial institutions that issue the debit/credit cards) are not able to support these services today. Visa has mandated compliance from all their issuers and MasterCard is expected to follow.
Related blog posts:
Account Verification with a Zero Dollar authorization request
Why do merchant account providers ask for a personal guaranty?
Posted on Tuesday, February 03, 2009 by Bryan Johnson
Nearly all merchant account providers will require that a personal guaranty be signed by the owner(s) before approving an account for credit card acceptance. Some owners are justifiably reluctant to sign a personal guaranty. After all, that's one of the main reasons a legal entity was set up in the first place: to protect individuals in the organization from being subject to the company's liabilities. Most providers will waive the requirement if a) the company is public, or b) the organization is a registered 501c3 or 501c4, or c) the company's financials are adequate to satisfy the underwriters' concern about the underlying risk.
So where is the risk? Basically, a merchant account provider is at risk for every dollar that passes through the merchant account during a 6 month period. Here is a risk scenario:
Widget Company comes out with a new electronic gadget for $30.00. During their first month, sales are over $100,000 and everyone in the company is ecstatic. To try and build upon the momentum, Widget Company decides to spend all their cash on an AdWords campaign. Ten days later, Widget finds out that all the gadgets they sold have a bug and need to be replaced. Widget doesn't have the cash to replace them so they tell customers that they are sorry, they won't be able to honor the 90 warranty that was included. The cardholders who bought those gadgets are going to be unhappy with the response and will call their bank to initiate a chargeback (a formal dispute process). The merchant account provider will in turn attempt to debit Widget's bank account for the amount being disputed to cover their loss but their are insufficient funds at that point. At that point, the merchant account provider is financially responsible to refund all those customers who bought the gadget and filed a dispute with their bank.
Merchant account face this risk with every product or service sold including services, software, memberships, consulting and anything else that is purchsed with a credit card. Therefore, when a merchant account underwriter reviews an account, they try to calculate the risk associated with the account. Their risk analysis will include the merchants projected sales, the product or service being sold, company history, company financials and owner(s) credit. The exposure window for credit card transacions is six months (or up to 18 months in special circumstances), which is how long a cardholder technically has to dispute a charge (chargeback). This is also why annual billing and lifetime memberships present underwriting and risk challenges.
The example above is an honest mistake. But merchant account providers are also cognizant of classic merchant account fraud: set up a merchant account, sell a bunch of goods or services, receive the money within 48 hours and then pack it up and skip town without delivering the items or services that were sold. Without a personal guaranty, the business can declare bankruptcy and the owners would be shielded from any consequence. In this scenario, the personal guaranty is primarily used as a deterrent to prevent bad behavior.
Merchants can always ask for exceptions and underwriters may or may not provide them. There are alternative arrangments that underwriters will ocassionally propose in place of a personal guaranty such as a rolling reserve or a fixed amount up front.
Cost of Data Breach up 2.7%
Posted on Monday, February 02, 2009 by Bryan Johnson
The WSJ reports that a new Ponemon Institute found that the cost of a breach was up 2.7% during 2008 to $202 per compromised record. The average expense to an organization was $6.6 million in direct and indirect costs, which includes the cost of notifying victims and maintaining information hot lines as well as legal, investigative and administrative expenses.
Report Highlights:
- Industries with the highest number of breaches: Health care and financial services
- Most common causes of breaches: negligence, third-party providers, and portable devices including laptops
The survey examined costs incurred by 43 organizations in 17 industries after a data breach and included breaches of between 4,200 records and more than 113,000.
Data Breaches up in 2008
Posted on Friday, January 09, 2009 by Bryan Johnson
A report out this week by the Identity Theft Resource Center claimed the reported data breaches were up by 47% duing 2008, reaching 656. Some interesting highlights (NOTE: this is not only credit card data):
- Only 2.4% of breaches had encryption or other strong protection in use
- Only 8.5% had password protection
About their method:
The ITRC tracks five categories of data loss methods: data on the move, accidental exposure, insider theft, subcontractors, and hacking. Subcontractor breaches, whild counted as one breach each, in some cases affected dozens of companies. The number of breaches does not affect the number of companies affected. ITRC uses media, notification lists and government agencies to confirm breaches. To be considered a breach, it must include the loss of personal identiying information like a SSN.
Costco, your marketing department has gone rogue
Posted on Friday, December 05, 2008 by Bryan Johnson
Costco advertises unbeatable credit card processing rates of 1.64% and 1.99% in their November magazine. The problem? It's like a national long distance provider advertising a flat $.05 per minute that actually only includes your zip code.
And the first benefit Costco touts regarding their services? "No Hidden Fees"
Any business that accepts credit cards will tell you that this advertisement is misleading. If a merchant were to actually sign up, expecting to pay these rates, they would be unpleasantly surprised to find out that the actual rates are:
* 1.64% and $.20 for swiped transactions
* 1.99% and $.27 for non swiped transactions
* 2.96% $.32 for rewards, business, corporate, non-AVS, authorizations not settled within 24 hours, and a host of other conditions.
* 3.80% $.32 for government or international cards
I don't know about you, but that's a minor * that I would want to know about before buying.
Come on Costco, you're a brand we trust. We realize others in the industry do the exact same thing, but your customers deserve better.
2008 Credit Card Data Breach Trends
Posted on Tuesday, November 25, 2008 by Bryan Johnson
I recently listened to a presentation by a security group that performs forensics work when a merchant experiences a credit card data breach. Here are the breach trends they've seen during 2008:
Methods of entry - largely unchanged
- Insecure remote access software
- SQL injection
Breaching credit card data - evolved strategies
- Capturing credit card data in transit over the network between devices
- Via program modification after a vulnerable application was breached
- Via collection of Random Access Memory (RAM) contents
Techniques used - most apply to software POS
- Key-logging
- Network sniffers
- Serial port sniffers
Case Study
In one case study they shared the criminal was able to penetrate the network via remote access software. They then installed a debugging tool to collect RAM contents and malware to parse track data. The malware then uploaded the data to a Russian website. The merchant was using a PABP POS that was not collecting prohibited cardholder data.
