In a card-not-present environment, there are two levels of credit card validation. First, is the Luhn Algorithm which is also known as a ‘mod 10′ check. The Luhn algorithm will validate the number of characters for a particular card type. It doesn’t perform any other type of validation. I’d say almost all payment processing systems have this in place as a standard offering.

If merchants want to further validate the card they can do an authorization request to the issuing bank for 1) address verification (AVS) and 2) cvv2 - the three our four digit code on the card. When the auth is submitted the bank will respond with match or mismatch codes for street address, zip (5 and or 9 digits) and cvv2.

In most payment processing systems merchants can set up acceptance or denial rules so that if an authorization comes back as having an incorrect billing address, zip or cvv2 code, the transaction will be automatically accepted, denied or flagged.

For merchants that want to validate the card upon accepting a new customer but not charge them they can do a $1.00 authorization which will then usually fall off the card in a few days. Note however, that there is no standard in the amount of time a particular authorization stays on a debit or credit card. Issuing banks determine the exact duration but generally speaking, most stay valid for between 3 and 10 days but some up to 30 days. In a situation where a merchant accidentally authorizes a card 10 times for $1,000, tying up a customers entire credit limit, they can call the issuing bank and ask to void the transaction.

A few other related points:
1. AMEX recently stopped returning CID (their version of CVV2) responses leaving address verification as the only validation tool.
2. CVV2 does not affect credit card rates.
3. CVV2 data cannot be stored.

Third party payments aggregation (TPPA) is a description used for merchants that are selling a product or service that they do not own. The best example of a TPPA (aggregator) is PayPal. They simply facilitate the exchange of money between two parties.

There are, however, different shades of TPPA’s. For example, an online air travel booking site may charge both their service fee and the actual airfare in a single transaction. If the merchant were only charging their service fee, they would not fall into the TPPA category as they are simply charging for the service they provide. But because they are also charging a credit card for a product they do not own, an airfare ticket, they fall into the TPPA category.

The value proposition of a TPPA is clear to both consumers and merchants, but the increased risk is not normally understood as well by the merchant. There are two reasons why TPPA’s are considered higher risk in the credit card processing industry:

1) The merchant has reduced control over the quality and delivery of the product being sold, and
2) The merchant is being trusted to pay the third party for the money they’ve collected on their behalf

Here is an extreme example to demonstrate the risk of a TPPA account. Let’s say over a 30 day period an ecommerce merchant sells $1,000,000 dollars worth of vitamins that they have on net 30 terms from a wholesaler. The merchant could collect the $1,000,000 dollars, not pay the wholesaler, and then skip town with a suit case full of money. Each customer will soon be initiating a chargeback because the vitamins they paid for did not arrive.

When the chargebacks are initiated, the issuing bank will credit the cardholders account but because the merchant is nowhere to be found, and the business has no assets, the merchant account provider is left with $1,000,000 dollars in in liabilities.

This example of course suggests intentional fraud is at the core of the liability, but it also happens in other circumstances, e.g. an online booking site accepts payment for airfare and then the airline declares bankruptcy.

Because the Card Associations have discouraged the practice of TPPA and the increased risk, most merchant account providers are justifiably reluctant to underwrite these types of accounts. That is not to say that merchants cannot get approved for TPP processing, it is just more difficult and the underwriting conditions will more likely include a reserve and other similar safeguards.

I’ve been working with software provider in the restaurant space and one of the questions that came up was whether a restaurant can temporarily store the CVV2 value when taking a reservation to later charge the card if the customer does not show. The word from the PCI Security Standards Council has been that the CVV2 value can never be stored. There are however a few exceptions provided for merchants that have a need to ’store and forward’ the data.

I spoke to a few folks about this including Brian Serra CISSP, QSA from Accuvant and Michael Dahn at the Aegenis Group. For merchants that are given an exception to temporarily store the CVV2 value, there is always a limited number of days the data can be retained. It’s also ultimately up the specific merchant’s acquirer whether the practice will be allowed - as they bear the responsibility for the merchant’s compliance.

Most merchants mistakenly believe that processing a cardholder’s three or four digit CVV2 value for a ‘card not present’ transaction (e.g. ecommerce) will help qualify for lower credit card rates. The CVV2 value is only valuable to protect against credit card fraud and has nothing to do with rate qualification. CVV2 is most often confused with Address Verification Service (AVS) which can be used to qualify for lower credit card rates.

CVV2 stands for Card Verification Value and was introduced by MasterCard in 1997 and Visa in 2001. For ‘swiped’ transactions, the value is referred to as CVV1. Each of the card brands has its own acronym:

Visa: CVV2 - Card Verification Value
MasterCard: CVC2 - Card Validation Code
American Express: CID – Unique Card Code (and 4 digits)
Discover: CID – Card Identification Number

Merchants are able to configure payment processing systems to accept or decline transaction requests based upon the match or mismatch of CVV2 information. So for example, if a merchant creates a rule to decline all transactions where the CVV2 value does not match, the authorization request could be successful with the issuing bank, but the transaction will be denied by the merchant. Even though the transaction was denied by the merchant, the consumer’s card will still be authorized.

PCI DSS Compliance prohibits merchants from storing the CVV2 code. For recurring billing, merchants can accept and validate the CVV2 value during the initial authorization but cannot store it for additional transactions. After the initial validation, there really is no value in storing it.

Other Related Blog Posts
PCI Prohibits the Storage of CVV2 Data
PCI DSS Compliance Basics
Where do Credit Card Fees Come From?

One of the biggest problems for merchants that charge credit cards on a recurring basis is maintaining accurate credit card information on file. In any given year, roughly 50% of Visa cardholders will change their account information. This places a heavy burden on merchants to reach out to customers and capture the updated information.

There are a number of reasons credit card details change including bank mergers that result in new numbers, identify theft, balance transfers and the regular updating of the card’s expiration date. Regardless of the cause, merchants face an uphill and expensive battle to deal with these changes.

Eight years ago Visa started working on a program they call Account Updater (VAU). They created an automated system that directly interfaces with merchants and updates customers credit card information. Here is how it works:

1. Merchants are enrolled in VAU through their participating Visa Merchant Bank.
2. Visa card Issuers submit electronic files with updates to Visa when a cardholder’s account information changes.
3. Issuers are required to send these file updates within two business days, and are strongly encouraged to send them daily to ensure that account-on-file Merchants have the advantage of the latest authorization data.
4. Participating Merchants submit account numbers, through their Visa Merchant Bank, for customers with whom they have an ongoing payment relationship. VAU processes inquiries against its database and provides responses to the Visa Merchant Bank.
5. Participating Merchants are required to update their customer account database within five business days after receiving VAU updates from their Visa Merchant Bank and to ensure that the updated database is used in future Visa transactions in accordance with Visa Account Updater Terms of Use.

Visa charges a nominal fee for the service which varies according to volume but is in the range of $.30 to $.50 per ‘matched’ file.

For the past few years there has been nothing but positive buzz about alternative payment types PayPal and Bill Me Later in the payment processing industry. By all measures their market penetration has been disruptive and impressive. Today for the first time that I’ve seen, Kelli Grant of the Wall Street Journal has a piece out Beware of Web-Pay Alternatives that focuses on some of the more potentially unappealing aspects of these payment types for consumers. Note, for PayPal, Kelli is highlighting PayPal Pay Later which is different from their standard offering.

Here are three reasons you may want to think twice before using one of these services:

Your Credit Score Could Take a Hit. If your goal is to get away from paying with plastic, be especially cautious about services like PayPal’s Pay Later and Bill Me Later, which function as a line of credit. “Any new account, especially one that immediately carries a balance, is considered a risk on your credit report,” said Gerri Detweiler, a credit adviser at Credit.com. Opening one new account could push a credit score of 707 down to 697 for six months, according to Fair Isaac Corp.’s FICO Score Simulator.

Even worse: Your score could drop by as much as 100 points if you come close to maxing out the line of credit, said Ms. Detweiler. For someone planning to shop for a mortgage, home equity line of credit or other loan, the difference could lead to higher interest rates and thousands of dollars more in payments. Even if you aren’t planning to make a big purchase, a drop in your credit score could prompt your creditors to raise the rates on your existing accounts. PayPal clearly discloses its line of credit as a credit product, as well as the terms and conditions before consumers apply, said spokeswoman Amanda Pires. Bill Me Later didn’t respond to requests for comment.

You Will Pay High Interest Rates. If you carry a balance with alternate-payment services, you face exorbitant interest rates. PayPal’s buyer-credit option charges a variable 22.75% annual rate, while Bill Me Later has a variable interest rate of 19.99%. For comparison’s sake, standard credit cards carry an average variable rate of 13.89%, according to Bankrate.com. (For consumers with great credit, those rates could be much lower.)

You’ll Get Weaker Protections. Security is frequently touted as one of the upsides to alternate-payment programs. After all, there is no credit-card number to steal. “But that means you won’t have the same protections as if you were paying with a credit card,” said Consumer Federation’s Ms. Grant. “[Fraud] coverage is extremely limited, and whatever protections the service does give you are voluntary.”

When it comes to your credit card, federal law dictates what your liability will be if someone makes an unauthorized purchase. (At most, you will pay $50.) The law also protects a consumer’s right to dispute charges on their account for incorrect billing and defective items, among other problems. Bill Me Later, eBillme and PayPal have zero-liability policies for unauthorized charges (no matter what method you use to pay), but their policies are somewhat weaker when it comes to disputes.

Interchange is the wholesale pricing of Visa, MasterCard and their co-issuing financial institutions in the credit card processing industry. Visa and MasterCard branded cards account for roughly 70% of all transactions.

When financial institutions issue credit or debit cards to a consumer or business, they make the Interchange fee every time that card is used to purchase something. Visa and MasterCard, the co-issuers, make a very small margin on top of the financial institutions set fee. The financial institutions make roughly 80% of all credit card fees charged. Businesses of course that accept credit cards as a form of payment pay these fees.

Discover and American Express are non-bank cards meaning that they don’t use the thousands of banks nationwide to issue their cards to consumers and businesses. Discover and American Express determine their fixed, almost non negotiate rate structures.

Discover recently announced that they will be changing their business model to be more like Visa and MasterCard and have a set Interchange structure that merchant service providers can mark up and then bundle with Visa and MasterCard credit card processing. The move is to try and broaden acceptance and simplify processing for merchants who will now only receive consolidated pricing and one monthly statement for Visa, MasterCard and Discover. American Express will still be separate.

The exact Interchange rate that is charged on a particular transaction depends on a number of variables. In fact, there are over 170 different interchange rates that are determined based upon the card type (e.g. debit, credit, rewards, corporate), business type (restaurant, retail, ecommerce, gas station, etc. ), acceptance method (swiped, internet, phone), settlement or batch time frame and what information is submitted with the transaction (e.g. Address Verification Service (AVS)). There are a few other more advanced variables that influence the Interchange rate.

Merchant account providers mark up the wholesale Interchange rates and offer merchants credit card processing services. To simplify the complexity of the Interchange structure, most merchant service providers will offer a 3-Tier pricing program. This means that a merchant will have one rate for swiped transaction, another for non-swiped cards and another for corporate cards. Sometimes a 4-Tier pricing structure is issued with the addition of a swiped debit card rate.

The interesting thing about these pricing structures is that a there may actually be 40 different interchange rates that are charged to the merchant but the merchant account provider just buckets all of these rates into the three different categories. Some merchant account providers may bucket Reward cards in the the second most expensive tier and another company may bucket them into the third and most expensive tier. That’s why it’s very challenging to compare rates from one provider to another.

Other related posts:
Where do credit card fees come from?

Illinois has partnered with MasterCard to offer a new innovative credit card rewards program for their Bright Start College Savings Program. Families can now use their Bright Start Futuretrust Mastercard card and receive 1% cash rebate to save and invest money tax free to pay for college expenses. It’s the first and only 529 rewards program.

Bright Start makes a one-time $25 contribution upon the first use of the card as well as enhanced rebates at selected retails such as JCPenny 4%, Barnes & Noble 3%, Lands End 4%, Oversotock 3% and many more.

This move highlights the ongoing high stakes effort by all payment providers, both conventional (Visa, MasterCard, AMEX & DISV) and new entrants (Google Checkout, PayPal, Bill Me Later, Revolution Money, Tempo) to create incentives for consumers and merchants to use their payment instrument as their preferred form of payment.

The new entrants have been vying for a piece of the payment acceptance market and are trying to get a critical level of wide spread acceptance as quickly as possible - or face the high probability of failure. Revolution Money, for example, has bet that their success in the market place will be driven by their lower fees to merchants and for consumers their PayPal like features in the social media and blog space for small dollar payments.

It’s an ongoing challenge to construct the proper balance of driving demand from both the consumer and merchant side. MasterCard’s partnership with the State of Illinois demonstrates that the incumbent credit and debit card providers will continually heavily rely on driving their market dominance through consumer demand.

Effective January 15th, 2008, MasterCard will raise three categories of it’s international interchange.

• International Consumer: Interchange rates will increase between .24% and .05% basis points on transactions where a non U.S. consumer credit card is used at a U.S. based merchant.
• International Commercial: Interchange rates will increase .15% basis points on transactions where a non U.S. commercial credit card is used at a U.S. based merchant.
• Cross-Border Assessment: Rates will increase by .20% whenever the cardholder’s country code is not the same as the merchant country code.

The European Union wasn’t too pleased with the increase they announced for European merchants and have given MasterCard six months to drop the increase or else face a daily fine of 3.5% of daily global revenues? (Can they really do that?)

In years past Visa and MasterCard would announce interchange changes on an orderly schedule, usually in the spring. When announced, most credit card processing providers in the industry would attempt to capitalize on these increases and raise the margins they were getting from their customers. So for example if rates went up .20% basis points they would increase their rates .40% basis points, which in my opinion is not a fair practice. It’s understood that rate increases will be passed on but not added to.

At the same time, this topic is very complicated so I don’t want to oversimplify it. At the heart of the problem is the highly complicated interchange structure which consists of roughly 170 different rate categories. Read here for more detailed explanation of where credit card fees come from and how they are determined.

For large providers, because pricing changes must be made to the entire portfolio, averages are passed on to all the merchants. These international increases are a good example. Most merchants don’t process a lot of international cards regularly so the interchange increases would have minimal impact on the credit card provider. But because it’s logistically very challenging for the larger providers to drill down and evaluate each merchant’s processing, averages are used to determine increases.

So when you receive your new few monthly credit card processing statements that you never read, look for the message at the top where a rate increase will probably be announced.

Discover has started the process of bundling their credit card processing with Visa and MasterCard. This means that merchant account providers will soon be offering merchants a single daily deposit for Visa, MasterCard, and Discover, a consolidated monthly statement and one phone number for customer service. If merchants accept American Express they will still receive a separate deposit and monthly statement for related sales.

This change should help simplify things for both providers and merchants. Discover has been around for 22 years and currently has roughly 4 million merchants in the U.S. Visa and MasterCard have about 35% more merchants. This move is to try and close that gap. in the near future, merchants will be automatically signed up to accept Discover.

Discover Card is also beefing up efforts with it’s offerings to consumers to try and increase the number of cardholders. After all, if they lock up the supply side but can’t improve the demand side, nothing has been gained.