Without the merchant even asking us to do it, or knowing it was possible, our awesome team proactively analyzed a customer's credit card processing data and found ways they could qualify for better rates. We provided the recommendations along with implementation assistance and reduced their processing costs by $14,270 per year, a 25 basis point reduction (100 basis points equals 1%) on $5.6MM in processing volume. We actually do this all the time for our customers - and don't charge a dime for it. It's taken us years to learn all of the nuances but now we're pretty good at it.
Qualifying for the best credit card processing rates is very complex. For most merchants, doing this in-house is next to impossible because of the difficulty of finding, understanding and verifying all of the relevant information. It's important to understand this because the majority of providers only advertise and disclose the lowest fees and hide all of the higher rates that are charged when a merchant isn't meeting processing requirements (see an example of a trusted brand advertising lower rates and hiding the higher fees). We've long been outspoken critics of this practice.
It pays to work with Braintree.
Want to learn more about credit card processing fees?
New to online payments?
We've been getting a lot of questions lately about both merchant and service provider PCI Compliance so we thought we would just write this up for everyone. If you're new to PCI Compliance, here is an overview to get you up to speed. The PCI DSS applies to any merchant or service provider that handles, processes, stores or transmits credit card data.
Merchants
For merchants, the PCI Security Standards Council has provided on-your-honor compliance validation tools in the form of Self Assessment Questionnaires (SAQ's). There are four SAQ's: A, B, C and D. The SAQ's were designed to accommodate both different business types, i.e. restaurant/ecommerce, and different business processing methods, i.e. merchant does/does not handle, process or store credit card data. Larger merchants who are processing millions of transactions per year are required to have an onsite audit conducted by a Qualified Security Assessor.
Here are two examples of how a merchant would choose a particular SAQ:
If an ecommerce merchant accepts credit card payment via their website and then stores the credit card information for future purchases, they would be required to fill out the SAQ D, or the long form as it's known, because they are handling, processing and storing credit card data. SAQ D includes the full ~250 controls in the PCI DSS Standard and requires the greatest amount of time, energy and money.
Conversely, if an ecommerce merchant only accepts credit card payment via their website and does not handle, process and store credit card data by using an API like ours or a hosted page, the merchant can qualify for the SAQ A, the shortest of the four. It includes roughly 20 controls and can be completed very quickly. In addition to this SAQ, some processors and or QSA's will also require that the merchant sign up for a scanning service of outward facing IP addresses - even though there is no credit card data present to be stolen. We've seen it argued both ways.
It is important to note in this second example that if this merchant accepts credit card payments over the phone, in addition to the website, they will no longer qualify for short form SAQ A because they are now processing, transmitting and potentially storing credit card data in their environment. They will instead be required to fill out the SAQ C.
Service Providers
Like merchants, any business that processes, handles or stores credit card data on behalf of a merchant is required to be PCI DSS Compliant. Visa maintains a list of Global PCI DSS Validated Service Providers on their website. Merchants are required to make sure their provider has been validated as PCI DSS Compliant. Achieving the Level 1 compliance requires an onsite audit by a Qualified Security Assessor.
Related posts:
PCI Compliance Basics
Cost of a credit card breach
The PCI Security Standards Council changed its policy on audio recordings. Audio recordings with credit card data should now be treated the same as if it were written. Merchants will need to properly store audio files in addition to deleting any portion of the audio file that contains prohibited credit card data.
Evan Schuman at StorefrontBacktalk has a nice write up with some additional context.
Comments: 0 | Post a Comment© 2010 Braintree Payment Solutions. All rights reserved. Braintree is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA
