TJX is now the poster child for credit card data breaches. Starting in July 2005, hackers spent 18 months exploiting weak wireless network security outside of thousands of TJX owned stores and downloaded nearly 100 million credit card numbers. TJX recently estimated that the breach will cost them $118 million. Others, such as Forrester, estimate it will cost them $1.35 billion when including legal fees, call center costs, regulatory fines, etc.

While TJX has received all the recent attention, breaches are occurring more often than many realize. The exact number is unknown because only 31 states currently have laws requiring disclosure. One thing is for sure, if a business gets breached, they’re going to pay for it - and it will be expensive. A Forrester report determines the cost per breached record will be anywhere from $90 to $305.

The profitable world of stealing credit card data
The spike in this type of criminal activity is attributable to the lucrative business of selling stolen credit card information. Depending on the quality, the selling price of a single record can easily be $100.

Criminals are using a host of tactics to steal credit card data. One of the most common methods is remote access to servers, which house the data, like in the case of TJX. WEP 104-bit encryption can be cracked in under a minute on an 802.11g network by using active ARP-relay packet-injection techniques.

Another very common approach is “Skimming”, a practice where employees attach an electronic reader to the point of sale machine and steals cardholder information including name, credit card number, and the CVV2 code (three or four digit number on the front or back of the card). Employees have also been known to write down this information.

In ecommerce environments, cyber criminals are using SQL Injection, Cross Site Scripting (XSS), and Buffer Overflow attacks.

PCI Compliance overview
The driving force behind the effort to secure all credit card data is the PCI Security Standards Council, which was founded by Visa, MasterCard, American Express, Discover and JCB. They have mandated that businesses meet 12 security requirements in order to protect card holder data.

To provide proper incentives, the Card Associations have offered both carrots and sticks. As a carrot, merchants are offered protection from PCI related fines, which can be as high as $500,000 per incident, if they are compliant at the time of the breach - something called Safe Harbor. As a stick, merchants can face the above mentioned fines when breached as well as be fines for non-compliance. Some card brands have threatened to levy fines against larger merchants, up to $25,000 per month, until they obtain compliance.

To start the process of becoming compliant, a company should consider engaging a Qualified Security Assessor (QSA) who can advise regarding remediation and are approved to complete the official assessments for the Card Associations. There are fewer than 100 companies that offer these services. A few examples include Accuvant, Security Metrics, and Trustwave. The process of becoming compliant may take anywhere from 1 month to 18 months, depending on the business size and current IT and security infrastructure.

The cost and process of becoming PCI Compliant
Becoming compliant can be a time consuming, costly, and a considerably complex effort. Gartner recently estimated that the nation’s largest merchants will spend $568,000 on average during 2007 to meet the mandated requirements.

Taking matters into your own hands
A few things that can be done right away is making sure prohibited information is being purged after authorization. That information includes full track data (on the magnetic strip), CVV2 codes (three and four digit codes) and PIN data.

If businesses need to store name, credit card number and expiration date, then it needs to be secured either internally or stored remotely. Credit card tokenization, a remote storage technology, allows for a unique customer ID to be created for each record and is then used to remotely initiate transactions or change customer files without ever handling any sensitive credit card data.

Other simple ways to better protect from breaches include tightening remote access controls, change wireless network security from WEP to WPA, properly configure firewalls, change vendor default passwords, and use encryption to transmit all sensitive data.

In summary
Regardless of a businesses current situation, the cost of a breach can be enormous. TJX, a $17 billion dollar retailer will be able to weather the storm, but a smaller organization may not have the same financial depth which means the consequences may be much more severe. So whether or not the required resources are available to pursue PCI Compliance and proper data storage, it might not be a bad idea to make it a priority in your organization.

Other related posts:
PCI DSS Compliance basics for credit card security

Braintree solutions:
The Smart Approach for PCI DSS Compliance

There is a lot of confusion surrounding credit card processing and merchant accounts. Some of the most common areas of confusion are about the different types of organizations that sell the services, what entities actually process the transactions and the fees and pricing structures that continue to be the unsolvable mystery. I’m going to provide a broad industry overview that will hopefully help make sense of this complicated industry.

Merchant accounts are greatly appreciated by some and a necessary evil for others
Some merchants prefer accepting credit cards because they are a much more convenient and cost effective way of collecting payments from customers. Other merchants, while it still may be convenient, struggle paying the relatively high fees on their already thin margins. Either way, businesses can improve their situation by becoming better and more informed consumers of the services.

Providers of merchant accounts
If you want to get a new merchant account or switch from your existing provider, one thing is for sure, there is no shortage of companies that are anxious to try and earn your business. You can find merchant service providers by looking in the yellow pages, searching online, talking to your bank, or just wait for the next sales guy to either call you or walk into your business (which shouldn’t be long). The key is choosing the RIGHT provider for your business.

Not all merchant service providers are made equal
There are really two types of merchant service providers: processors and resellers (resellers are known in the industry as Independent Sales Organizations (ISO’s) and/or Merchant Service Providers (MSP’s)). Your first thought is probably that you would rather go with a processor to cut out the middle man, but I’ll show you why it’s not that clean cut. Before I started Braintree, I worked for a processor and saw first hand some of the limitations they had in providing solutions to merchants. I’ll provide more detailed descriptions of both and then offer an assessment of their differences.

1) Processors - Also known as Acquirers, processors are distinguished by their ability to actually process a transaction. To be a ‘processor’, a company must have the technical capability to receive transaction data from a merchant via a telephone line or the internet and then communicate with the appropriate financial institutions to approve or decline transactions. Processors must also be able to settle completed transactions through financial institutions in order to deposit funds into the merchant’s bank account.

The processing industry is highly concentrated with the top five processors maintaining over 65% of all transaction volume. The single largest processor is First Data, was just bought by KKR for 29 billion. Processors can be banks, like Fifth Third, or non-banks like First Data.

While processors do maintain a direct sales force of their own, they primarily work through ISO’s to acquire and maintain their merchant base. A processor’s business model is really one of economies of scale. They’re volume shops. They essentially outsource the sales function to ISO’s. I don’t have exact data on this but I would guess that over 80% of all merchants are working with an ISO.

Here is simple diagram of the transaction flow. I took the liberty of putting my company in the value chain, but because Braintree is an ISO, there is a processor behind the scenes doing the actual transaction processing. Because most everything is private labeled, it’s difficult for most merchants to discern whether or not their service provider is a processor or ISO. Be careful not to be improperly influenced by this. Most sales people try to use ‘we’re the processor’ line to gain additional credibility.

2) ISO’s - ISO’s resell the products or services of one or multiple processors. They can also develop their own or aggregate other value added products and services. ISO’s range from a little sketchy to best in class providers.

There are two types of ISO’s

a. Banks - Banks of all shapes and sizes are ISO’s. Wells Fargo, for example, is an ISO of First Data. Your local community and large regional banks are most likely ISO’s. Banks entered into the merchant services business because it was a natural fit with their product and service offerings. It’s a way to increase revenue per customer. Most, but not all banks, will private label the services so it’s difficult to distinguish if they are a processor or ISO. The benefit of working with a bank is that you can consolidate your financial services. The drawback is that you usually get ‘out of the box’ type solutions.

b. Non-banks - These types of ISO’s range from some of the most dynamic and capable providers to firms who don’t represent the industry very well.

Which to choose: Processor or ISO
With all providers, there are a few industry dynamics that make the landscape interesting. First, there are very low barriers to entry due to the lack of certifications, licenses, and capital requirements. Secondly, there really is no active regulatory body that oversees and enforces acceptable practices. So naturally, with these two market conditions, merchants need to be mindful and through in selecting a provider.

In comparing the two, ISO’s offer all of the products and services that processors do (because they are reselling) but processors can’t always offer the same products and services as ISO’s. This is because ISO’s can resell for multiple processors and can either develop their own technologies or aggregate solutions from other providers. ISO’s have largely been the most successful creators of value added services while most of solutions the processors develop are usually pretty clunky. ISO’s also tend to be smaller which usually (but not always) leads to better customer service.

As a plug for the processors, there are a few circumstances in which merchants must engage directly with a processor in order to get solutions that cannot be provided by ISO’s. For example, dynamic product descriptors are used by merchants that need to report multiple unique product identifiers along with the merchant’s name. Only one processor that I know of has this ability. I would also say that processors also have a lower propensity to unscrupulous behavior that is more common among ISO’s (bank and non-bank).

As for price, in most cases, there really is very little to no difference. One more thing I would call out on pricing is that no class of provider (including banks) has earned the reputation to be above the sneaky pricing tactics that have unfortunately come to be an industry standard.

I argue, and fully disclose my vested interest, that in nearly any situation a best in class, non-bank ISO can provide more value than a processor. For some other considerations about what you may consider when evaluating different providers, you can read How to choose a merchant service provider.

What your merchant account looks like will vary according to your business
The rates, terms, and conditions of your merchant account will largely depend on your type of business and the provider you choose. Business types are first divided into two buckets: card present (swiped) and card-not-present (non-swiped). Card present merchants, such as restaurants and brick and mortar retailers are low risk and have fairly simple needs. Card-not-present merchants are much more difficult because the risk level is substantially higher when people are transacting business via the internet, telephone, etc.

Other risk factors that will affect your merchant account is the types of goods that you’re selling, delivery times, whether or not a deposit is required, and about 20 other variables. Most underwriting groups use some sort of actuarial models to determine their guidelines.

To give you an idea of one risk merchant service provider face, here is an example. Let’s say that you sell $100,000 in books online. Within 24 to 48 hours of selling those items, the customer’s money is deposited into your bank account. If you take that $100k and skip town without shipping the books to the people who bought them, the merchant service provider is stuck with the $100k bill because customers are going to contest and win the charge with their banks. So for a few hundred dollars a month in revenue, the risk better be pretty manageable for the provider.

Filling out the paperwork to set up your merchant account
Most companies have a two page application that will require you to fill out both personal and business information. Many people are justifiably concerned about giving out personal information including their social security number. However, unless you are a publicly traded company, I don’t know of a merchant provider who will underwrite your business without it.

When asked why all of the personal information is needed, most companies will point to the Patriot Act that was passed in Congress shortly after 9/11. It basically requires all financial institutions, which include credit card processors, to collect specific identifying information about their customers. Click here for more information on this.

You will also as required to sign a personal guarantee before the application is approved. Most business owners will respond that they incorporated so that they wouldn’t have personally guarantee. The underwriter will respond by asking why they should have more faith in your business than you do. Both sides have valid points. I think that the issue boils down to whether or not the business owner will deliver the goods that payment has been received for. The personal guarantee is not so much useful in collecting money as it is as a deterrent against fraudulent and irresponsible behavior.

Be Careful
As you can see in this very high level introduction to the industry, there are a lot of complexities and much to learn. You can also read my post on Some advice to help you avoid common mistakes.

It is known by some, but not all, that businesses pay fees in order to accept credit cards as a form of payment. In fact, over 7 million merchants in the U.S. accept credit cards. During 2006 they collectively paid over 30 billion in fees to offer customers that convenience.

Despite the size of the industry, its a mystery to most as to who is pocketing these billions of dollars in fees and why it has to be so unbelievably complicated. I had a CPA tell me the other day, “I’m a smart guy. I understand numbers, pricing and reconciliation, but for whatever reason I just cannot get my head around credit card processing fees.” He’s not alone. Hopefully this article will clear up some of that confusion as I provide some context about where credit card fees come from, who’s making the money, and how fees and rates are determined.

Banks make roughly 80% of all credit card processing fees
Yes, banks are the biggest benefactors of consumers using plastic. Banks co-issue debit and credit cards with Visa and or MasterCard (AMEX and DISV don’t issue cards through banks). Visa and MasterCard are essentially membership associations owned by the issuing banks, and collectively own about 70% of the market. For example, Visa is a membership association of over 13,000 banks nationwide.

Banks make money every time a card they issued is used to purchase something. For example, let’s assume that a business is paying an effective rate of 3.5% to accept credit cards (that 3.5% is usually comprised of a discount rate and a per transaction fee but I just used a flat rate for simplification purposes). Roughly 80% of that 3.5% is going to the issuing bank. The rest of the 20% is divided among Visa or MasterCard, the credit card processor, and if there is one, the Independent Sales Organization (ISO).

How do banks justify their fees?
Credit card usage has seen explosive growth in the past 20 years for a number of reasons. Consumers get 15 to 45 days to pay original purchases, rewards and other perks, a line of credit for extra spending power, fraud protection, a monthly accounting of all purchases, and plastic is more convenient than cash or check.

All of these conveniences cost banks money. They have costs associated with fraud, bad debt, customer support, rewards and other perks, and float (they pay for your purchases before you pay them). Putting two and two together here on the creation and payment of fees, banks come up with rewards programs but merchants end up picking up their tab!

Continuing our example, if you buy movie tickets for $20 and the movie theater is paying 3.5%, the bank that issued that credit card would make $0.56 ($20 x 3.5% = $0.70, x 80% equals $0.56). Visa and MasterCard add their respective fees of .0925% and .0950% on top of what the banks charge (Note: that’s 9.25 and 9.50 basis points. 100 basis points equals 1%). Adding the fees from the bank and Visa or MasterCard together form what is called ‘interchange’.

You now understand why you find a credit card offer in your mailbox everyday. Outside of the 18% interest rates, annual fees, and late fees, being a card issuer is a lucrative business! Banks are making money on both the front and back end.

That seems simple enough, why does everyone say it’s so complex?
There are over 100 different interchange ‘rates’ or ‘categories’. The particular rate that is charged on any given transaction depends on a number of variables, including:

1) The type of card that is used in the transaction i.e. debit, credit, rewards, or business card, international, etc.
2) Where the card is used i.e. restaurant, retail, gas, business to business, ecommerce, etc.
3) The method of usage i.e. swiped, over the phone, or via ecommerce.
4) What information the business captures during the transaction i.e. name, address, tax ID, tax amount, unit description, etc. (the information required is a whole other layer of complexity).
5) When the transaction is submitted to the processor for settlement and funds transfer after the initial authorization.

As you can see, it’s a very complicated matrix. Very few people, including those who’ve been in the industry for years, really understand interchange.

Qualifying for different rate categories and getting hit with downgrades can be expensive
Merchants can often do more than they think to better manage the credit card fees they pay. For example, transactions can be ‘downgraded’ when they don’t meet interchange requirements. Reasons for downgrades include not capturing the correct information when processing (such as billing address), settling the transaction after a certain period of time, not swiping the transaction and many more. Learning how to recognize these penalties and then making the appropriate adjustments can help you lower your fees.

One example is if an a restaurant employee hand keys your credit card number into the point of sale system because the magnetic strip can’t be read, the transaction falls into a different rate category . The transaction is penalized because ‘non swiped’ transactions carry more risk and therefore higher interchange fees. The increase in rate can be significant ranging from 30 basis points to 1.6%, or more. Actual rates of course vary according to the fee structure you have with your existing provider.

Different rate categories and downgrades are the dirty little secret for merchant service providers. It’s where they make most of their margin because they offer artificially low rates and don’t disclose higher market ups on transactions that don’t fall into a specific rate category. Too many merchants fall for this and think their paying the single, highly competitive rate that was advertised.

A quick search of merchant service providers will demonstrate that non disclosure of fees is a standard practice. See two examples here.

Your undecipherable monthly credit card statement
As icing on the cake, the unreadable format most merchant service providers use to present this information to you on a monthly basis doesn’t help. Of course, the format used is not because they have no other option, it’s because that’s what makes them the most amount of money.

The frustration with credit card fees
Some merchants accept credit cards because they find them to be a easier method of accepting money from customers. Most, however, accept them because they have no other choice and the costs can be significant. Many merchants and advocacy groups have cried foul lately with Visa and MasterCard increasing ‘interchange’ fees over 117% in the past five years while maintaining over 70% market share. The Card Associations have been accused of being monopolistic.

Interchange has come under increased pressure lately
A few years ago, Wal-Mart won a class action lawsuit against Visa and MasterCard. They claimed that interchange was being improperly priced with debit cards having the same interchange rate as credit cards. Among other things, they argued that debit cards should be have a lower interchange rate because money comes directly out of the account versus a credit card where there is 15 to 45 days between purchase and payment. The courts agreed and awarded Wal-Mart and other retailers billions of dollars in compensatory damages. There are currently a number of other legal battles against the Card Associations surrounding interchange.

PCI DSS Compliance is an industry mandated security standard that applies to all businesses that handle, process or store credit cards. There are 12 requirements but as an oversimplification, it boils down to two things 1) merchants cannot store certain credit card information including CVV/CVV2 codes (three or four digit numbers), track data from the magnetic strip, and PIN numbers, and 2) if permitted credit card information such as name, credit card number and expiration date is stored, the storage security needs to meet certain requirements. A number of recent high profile breaches have been raising awareness of the risks associated with PCI Compliance.

The motivation to become compliant
The major credit card companies have provided both carrots and sticks in order to compel merchants to become compliant. The incentives offered include ’safe harbor’ from certain penalties and fines if a merchant is compliant at the time of breach. Without compliance, if a merchant is breached and has credit card information stolen, depending on the size of the breach, PCI related fines can be as high as $500,000 per incident. In severe cases, merchants can even be given the ‘Death Penalty’ preventing them from accepting credit cards. In addition to the PCI fines, merchants may also be subject to remediation costs that have been estimated to be $90 to $302 per record (see graph below).

The Payment Card Industry Data Security Standard (PCI DSS)

What is PCI DSS?
It’s a comprehensive security standard that establishes common processes and precautions for handling, processing, storing and transmitting credit card data.

Who created it?
While Visa and MasterCard originally developed it, as of September of 2006, American Express, Discover, JCB, MasterCard and Visa jointly formed the PCI Security Standards Council.

Why was it created?
Because in the last few years there have been an spike in data security breaches. Organizations such as TJX, Bank of America, Citigroup, BJ’s Wholesale Club, Hotels.com, LexisNexis, Polo Ralph Lauren and Wachovia have been breached.

Who’s at risk?
Any business that processes, transmits, or stores credit card information. While the publicity of security breaches has recently been focused on larger companies, Visa reports that the majority of breaches are occuring at small businesses. (more…)