Nearly all merchant account providers will require that a personal guarantee be signed by the owner(s) before approving an account for credit card acceptance. Some owners are justifiably reluctant to sign a personal guarantee. After all, that's one of the main reasons a legal entity was set up in the first place: to protect individuals in the organization from being subject to the company's liabilities. Most providers will waive the requirement if a) the company is public, or b) the organization is a registered 501c3 or 501c4, or c) the company's financials are adequate to satisfy the underwriters' concern about the underlying risk.
So where is the risk? Basically, a merchant account provider is at risk for every dollar that passes through the merchant account during a 6 month period. Here is a risk scenario:
Widget Company comes out with a new electronic gadget for $30.00. During their first month, sales are over $100,000 and everyone in the company is ecstatic. To try and build upon the momentum, Widget Company decides to spend all their cash on an AdWords campaign. Ten days later, Widget finds out that all the gadgets they sold have a bug and need to be replaced. Widget doesn't have the cash to replace them so they tell customers that they are sorry, they won't be able to honor the 90 warranty that was included. The cardholders who bought those gadgets are going to be unhappy with the response and will call their bank to initiate a chargeback (a formal dispute process). The merchant account provider will then unsuccessfully attempt to debit Widget's bank account for the amount being disputed to cover their loss. At that point, the merchant account provider is financially responsible to refund all those customers who bought the gadget and then disputed the charge with their bank.
Merchant account face this risk with every product or service sold including services, software, memberships, consulting and anything else that is purchsed with a credit card. Therefore, when a merchant account underwriter reviews an account, they try to calculate the risk associated with the account. Their risk analysis will include the merchants projected sales, the product or service being sold, company history, company financials and owner(s) credit. The exposure window for credit card transacions is six months (or up to 18 months in special circumstances), which is how long a cardholder technically has to dispute a charge (chargeback). This is also why annual billing and lifetime memberships present underwriting and risk challenges.
The example above is an honest mistake. But merchant account providers are also cognizant of classic merchant account fraud: set up a merchant account, sell a bunch of goods or services, receive the money within 48 hours and then pack it up and skip town without delivering the items or services that were sold. Without a personal guarantee the business can declare bankruptcy and the owners would be shielded from any consequence. In this scenario, the personal guarantee is primarily used as a deterrent to prevent bad behavior.
Merchants can always ask for exceptions and underwriters may or may not provide them. There are alternative arrangments that underwriters will ocassionally propose in place of a personal guarantee such as a rolling reserve or a fixed amount up front.
The WSJ reports that a new Ponemon Institute found that the cost of a breach was up 2.7% during 2008 to $202 per compromised record. The average expense to an organization was $6.6 million in direct and indirect costs, which includes the cost of notifying victims and maintaining information hot lines as well as legal, investigative and administrative expenses.
Report Highlights:
The survey examined costs incurred by 43 organizations in 17 industries after a data breach and included breaches of between 4,200 records and more than 113,000.
Comments: 0 | Post a CommentA report out this week by the Identity Theft Resource Center claimed the reported data breaches were up by 47% duing 2008, reaching 656. Some interesting highlights (NOTE: this is not only credit card data):
About their method:
The ITRC tracks five categories of data loss methods: data on the move, accidental exposure, insider theft, subcontractors, and hacking. Subcontractor breaches, whild counted as one breach each, in some cases affected dozens of companies. The number of breaches does not affect the number of companies affected. ITRC uses media, notification lists and government agencies to confirm breaches. To be considered a breach, it must include the loss of personal identiying information like a SSN.
Comments: 0 | Post a Comment
