Blogtree. A Safe Haven in a Chaotic Industry

Costco, your marketing department has gone rogue

Posted on Friday, December 05, 2008 by Bryan Johnson

Costco advertises unbeatable credit card processing rates of 1.64% and 1.99% in their November magazine. The problem? It's like a national long distance provider advertising a flat $.05 per minute that actually only includes your zip code.

And the first benefit Costco touts regarding their services? "No Hidden Fees"

Any business that accepts credit cards will tell you that this advertisement is misleading. If a merchant were to actually sign up, expecting to pay these rates, they would be unpleasantly surprised to find out that the actual rates are:

* 1.64% and $.20 for swiped transactions
* 1.99% and $.27 for non swiped transactions
* 2.96% $.32 for rewards, business, corporate, non-AVS, authorizations not settled within 24 hours, and a host of other conditions.
* 3.80% $.32 for government or international cards

I don't know about you, but that's a minor * that I would want to know about before buying.

Come on Costco, you're a brand we trust. We realize others in the industry do the exact same thing, but your customers deserve better.

Add this post to other sites: These icons link to social bookmarking sites where readers can share and discover new web pages.

Comments 0 Contact Us

2008 Credit Card Data Breach Trends

Posted on Tuesday, November 25, 2008 by Bryan Johnson

I recently listened to a presentation by a security group that performs forensics work when a merchant experiences a credit card data breach. Here are the breach trends they've seen during 2008:

Methods of entry - largely unchanged

Insecure remote access software
SQL injection

Breaching credit card data - evolved strategies

Capturing credit card data in transit over the network between devices
Via program modification after a vulnerable application was breached
Via collection of Random Access Memory (RAM) contents

Techniques used - most apply to software POS

Key-logging
Network sniffers
Serial port sniffers

Case Study

In one case study they shared the criminal was able to penetrate the network via remote access software. They then installed a debugging tool to collect RAM contents and malware to parse track data. The malware then uploaded the data to a Russian website. The merchant was using a PABP POS that was not collecting prohibited cardholder data.

Add this post to other sites: These icons link to social bookmarking sites where readers can share and discover new web pages.

Comments 0 Contact Us

MasterCard interchange changes for Utility, Real Estate and Insurance merchants

Posted on Wednesday, October 15, 2008 by Bryan Johnson

master card MasterCard announced some changes to their interchange pricing today that will be effective October 3, 2008.

As some quick context if you are new to this. Here is an oversimplification: merchants pay fees to accept credit cards. Financial institutions that issue credit and debit cards make roughly 75% of the fees that merchants pay (merchant account providers charge the other 25% of the fees). When MasterCard makes changes to 'Interchange', they are adjusting the wholesale pricing of the fees that make up MasterCard and their financial issuing institution's 75% of fees. To the casual observer in this industry - these updates below won't make a lot of sense without some additional context.

Utilities

Merchants no longer need to register for their Utility Program
MC is discontinuing their Service Industries Incentive Program (SIIP). The SIIP program offered a lower discount rate and transaction fee. Utilities will now be charged a fixed fee per transaction which is lower on average than rates paid on SIIP and closer to pin debit rates.

Real Estate

Discontinuing two Debit interchange categories (Merit III and UCAF), otherwise pricing stays the same.

Insurance

Similar to utilities, discontinuing the discounted SIIP rates. Merit III, Merit I Merchant/Full UCAF Debit are no longer eligible.

Telecommunications

Similiar to utilities and insurance, discontinuing the discounted SIIP rates but Merit III, Merit I Merchant/Full UCAF Debit are still eligible.

Related Posts
Where do credit card fees come from?

Add this post to other sites: These icons link to social bookmarking sites where readers can share and discover new web pages.

Comments 0 Contact Us

California Data Breach Law Vetoed - Again

Posted on Friday, October 03, 2008 by Bryan Johnson

Computer World reports the following today:

For the second time in 12 months, California Gov. Arnold Schwarzenegger has vetoed proposed legislation that would have required retailers and other businesses operating in the state to take specific steps to prevent credit and debit card data from being compromised.

The latest version of the bill — known as the Consumer Data Protection Act, or AB 1656 (download PDF) — would also have required retailers that accept payment card transactions to disclose more details about any data breaches to the individuals affected by them. The bill was approved by the California State Assembly on a 74-1 vote last month, a week after the state Senate passed it by a 34-3 margin.

But in a veto message that he sent to state legislators on Tuesday (download PDF), Schwarzenegger said he was refusing to sign the bill for the same reasons he turned down the original version of the measure last October. "As I stated in last year's veto of a similar bill, this bill attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities that provide for the protection of consumers," Schwarzenegger wrote.

The governor said that requiring companies to notify consumers about breaches, even when there is no evidence of any personal data actually being stolen, would result in "significant costs" for businesses and the state government. In addition, he said, the controls mandated in AB 1656 would lock companies into current credit card data security best practices, creating a disincentive for them to adopt new and more comprehensive industry standards and ensuring that the law would remain "static in the face of future, unseen concerns."

Seems like practical, good decision making to me. Nice work Schwarzenegger.

Add this post to other sites: These icons link to social bookmarking sites where readers can share and discover new web pages.

Comments 0 Contact Us

Annual Credit Card Billing Subscriptions

Posted on Thursday, October 02, 2008 by Bryan Johnson

Coming up with the optimal pricing structure for a product or service is tough. Beyond factors such as competitor pricing and target market price point analysis, merchants need to consider the limitations that accompany collecting money via a credit card.

The reason behind the limitation: financial risk. Merchant account providers are on the hook for the money their customers process. For example, if a company accepts 1,000 annual subscriptions at $129 and then declares bankruptcy two months later, the merchant account provider is responsible for paying back the full $129,000 to cardholders when they file chargebacks.

Some merchant account providers will maintain a hardline for anything greater than 30 day recurring billing cycles while others with a bigger appetite for risk may allow quarterly, semi-annual or annual billing from the start. This becomes less of an issue if a company has a demonstrated track record and financial strength.

Whatever billing strategy a company pursues, it's a good idea to make sure that all billing intentions and practices are fully disclosed upfront to avoid future problems.

Related:
Jason Fried of 37signals has a good post about their experience with this.

Add this post to other sites: These icons link to social bookmarking sites where readers can share and discover new web pages.

Comments 0 Contact Us

Visa working on payment applications for Android

Posted on Tuesday, September 30, 2008 by Bryan Johnson

Last month Visa announced that they are moving to alert customers of suspected credit card fraud via mobile phone. This week they announced more ambitious plans to build online payment applications with Nokia for Google’s Android.

The goal is to allow users to make remote and contactless payments as well as transfer money. Remote payments should be marked user convenience and transferring money is a big move for Visa into a space they've not been before. The biggest barrier to contactless payments will be the required point of sale upgrades to allow for Near-Field Communications (NFC) where users just wave their phone a few inches from the device.

Add this post to other sites: These icons link to social bookmarking sites where readers can share and discover new web pages.

Comments 0 Contact Us

Visa Transaction Alerts via email and mobile phone

Posted on Friday, August 22, 2008 by Bryan Johnson

Digital Transactions reports today that in 2009, in an effort to reduce credit card fraud, Visa will provide cardholders the ability to be instantly notified via email or text message of any usage of their debit, credit or ATM card. The service is in beta with a number of U.S. and Canadian banks.

The system will allow users to set transaction amount notification thresholds. If a transaction is suspicious users can immediately call a 800 number to report it. Today it takes 98 days on average to detect identify theft and 72 days for bank card fraud (Javelin Research).

This type of notification service has the potential to dramatically reduce that. So in short, Visa is shifting fraud screening and prevention costs to cardholders. Nice work Visa.

Add this post to other sites: These icons link to social bookmarking sites where readers can share and discover new web pages.