When considering merchant services, it is important to understand how provider pricing works to understand what you will pay.  Getting an overall picture with some providers can be a challenge, but a good idea is to compare your total fees for processing in a given month or year and compare that to your total dollar amount of processing.  This will give you an effective rate of processing.

An important thing to understand in choosing a merchant account provider is how card processing fees work.  The card brands have hundreds of different rates based on business type and card type.  For example, swiped transactions are usually less expensive than key-entered or e-commerce transactions.  Basic consumer credit and debit cards are generally less-expensive than business, government, or cards that have rewards and air miles programs.  The cost to process each type of card depends on its ‘interchange’ qualification.

With so many different qualifications, most providers lump similar cards into two or three tiers.  The quote will generally include a qualified rate and a non-qualified rate, and possibly a mid-qualified rate.  Alternately, they may pass on all interchange and brand ‘pass-through’ costs and then mark up the rate by some % and per item fee (‘interchange-plus’ pricing).  Other providers, like ProPay, simplify the complexity by absorbing the highs and lows and charging the business the same ‘blended’ rate for every transaction, regardless of card qualification.

Many providers have other fees, including for statements, account maintenance, minimums, support fees, AVS, PCI non-compliance, and online access.  It is important to understand how those affect your total cost of processing.  Be sure to read the fine print because the low, low advertised rate is frequently not very close to what you may actually pay.

In the end, if the company does not have straightforward pricing, it may be difficult to tell exactly what your total fees will be until you start processing, since only then will you see how many cards qualify as rewards, miles, debit and so on.   You may be able to simplify your accounting, avoid some expensive surprises, and focus your time on the most important things by choosing a straightforward, blended fee structure.

It’s been a busy month for the Payment Card Industry Security Standards Council (PCI SSC).  In August the PCI SSC, the organization charged with managing and disseminating security standards related to cardholder data, released two new guidance documents.  One of the documents provided guidance on selecting or building tokenization solutions while the other was concerned with wireless networking security.  While the wireless guidelines document is an updated version of the existing document, the industry has been awaiting the tokenization guidelines for some time.  In this post, the PCI DSS Tokenization Guidelines will be discussed.  The Wireless Guidelines will be discussed in a subsequent post.

Since its introduction to the payments industry, tokenization has been heralded as one of the most effective ways to meet compliance with the PCI DSS.  This has led to a long debate among security professionals about the proper implementation of tokenization solutions for the purpose of achieving and maintaining compliance.  Without the voice of the PCI SSC, there was some trepidation about just how much reduction of the compliance effort could be achieved with tokenization solutions.

The new guidance document for tokenization offers “Key Considerations for Tokenization Operations.”  Among these considerations is the ability to retrieve cardholder account numbers from the Primary Account Number (PAN). If the organization still has the ability to recreate the PAN using the token then no benefit with respect to reduction of PCI scope will be achieved.

Another important clarification introduced in the guidance documents is that there must be a way to distinguish between the token and an actual card number.  This is particularly important as an increasing number of tokenization providers offer tokens that are virtually indistinguishable from card numbers.  They are 16 digits and will bass the Luhn test, which is a signifier of valid card number.  The PCI SSC offers several reasons for this guidance.  According to the document, “Without the ability to distinguish between a PAN and a token, the merchant or service provider may not realize that the tokenization system isn’t functioning as intended.  Additionally, PANs could be mistakenly identified as tokens, which can lead to mis-scoping of the CDE [cardholder data environment] and the possibility that the PANs are left unprotected and open to compromise.”

The document further outlines the differences between an “on-premises” solution and an outsourced solution.  An on-premises solution is one in which the merchant maintains control over the entire tokenization solution, including the system that creates the tokens.  The responsibility in this case rests solely on the merchant to maintain the security and compliance of the system, as the tokenization system, and the systems connected to it, are always in scope for PCI DSS.  An outsourced solution, on the other hand, significantly reduces the merchant’s scope.  The document then goes on to detail the responsibilities of the various parties relative to the tokenization system.

The tokenization document should prove extremely helpful for merchants that are in process of evaluating a tokenization solution.  It will allow merchants to develop their own metrics for determining the correct solution for their environment and for their abilities and resources.

Dr. Heather Mark, PhD; SVP of Market Strategy

Part of creating a successful business is creating seamless customer interaction.  Ensuring customer satisfaction with fair and honest treatment creates business loyalty and increases customer referrals.  With your ProPay account you can process refunds on credit cards that you have previously charged.  You can also void or cancel pending transactions before the transaction has been sent for settlement.  To receive a step by step tutorial on how to refund or void a credit card on your ProPay account, please visit the link below:

FAQ- How to Refund a Credit Card

By clearly communicating with your customer your business policies, and issuing refunds in a prompt and appropriate manner, you can avoid possible chargeback’s, negative customer feedback and increase your business opportunity.  ProPay’s seamless payment and refund process increase that satisfaction and allows your business to grow and succeed.

A recent article on MSNBC detailed a “security issue” at two major banks.  The vulnerability in question related specifically to the use of the banks’ phone system.  Generally, when a caller uses the automated account system via telephone, the system verifies the number from which the person is calling.  If the number matches the number on the account, the verification process is streamlined.  That means that instead of entering an entire account number, the caller can simply enter the last four digits of the number.  They would then be able to access the limited information available through the automated phone system.  Typically, that would include information such as credit limit, account balance, date and amount of the last payment and similar information.  The caller would not be able to access other accounts or to retrieve the account number.  The article expressed concern that someone could easily obtain a consumers phone number and the last four digits of the card number.  By “spoofing” the consumer’s number and entering the last four digits, an ill-intentioned individual could “hack” the system.

The author expresses outrage that such a vulnerability could exist.  Other banks, he insists, require that users enter a complete account number.  He makes no argument about the increased security that may offer to the transaction.  The article goes on to detail exactly how one could hack the system, then call the consumer posing as the bank to use that ill-gotten information to coax more information out of the user that could be used to facilitate identity theft, or even to blackmail users based on their transaction history.

Data security and privacy should be top priorities for any companies that deal with consumer information.  However, those businesses must also maintain operations.  Convenience and security will always be at odds and companies are tasked with striking just the right balance – making their services easy to access while still protecting consumers and their data.  Most companies seek to achieve this balance with the judicious use of risk analyses.  During the risk analysis, the company identifies the potential vulnerability and analyzes what the impact would be if that vulnerability were exploited.  High impact events, whether that impact is in terms of frequency or in monetary damage, are addressed and steps taken to mitigate the risk.  While this author has no direct knowledge of the businesses practices of the banks in questions, it is unlikely that the bank would have adopted such a practice if the impact to its customers or to the bank was intolerable.

In security, one must balance the theoretical with the practical.  In theory, data is never safe.  There is no way to categorically prevent data theft.  The risk can be transferred (as with insurance policies or third-party service providers) or it can be mitigated by implementing increasingly strong protections, but it cannot be entirely removed.  Security professionals must be able to recognize when a theoretical threat becomes a real one and how to most efficiently allocate resources to address the nature of threat.

Dr. Heather Mark, PhD; SVP of Market Strategy

Remember ten or more years ago when the question for small business owners was, “to have a website or not”? Or, we may have scoffed at Bill Gate’s vision of a PC in every home? Well, we’re on the verge of another game-changing wave called Mobile Marketing. If you haven’t caught the vision, now is the time to catch it. Did you know:

• By 2012 Smartphone sales will surpass computer sales (Morgan Stanley)
• By 2013, Smartphone sales will overtake PCs as the most common Web access device worldwide (Merrill Lynch Report)
• The gross value of mobile transactions will reach $1.13 trillion by 2014 with $288.4 billion being spent in North America (Ie Market Research)

The question is, are you ready? If you’re a “Digital Slowpoke,” according to Ann Handley, Chief Content Officer of Marketing Profs, here are 6 ways you can begin to catch up.

1. Create a solid Web presence. Of course, you need a website. Create one using one of several free website development tools. Some good easy-to-use options for non-geeks include Weebly, Wix, Webs, Yola.com, or Flavors.me. For a stupid-easy solution, use blog software from WordPress.org as your main Web page.

Using blogging software like WordPress, by the way, doesn’t mean your site must look like a blog. There are a bunch of inexpensive, flexible, smart design templates you can apply to blogging platforms to create a compelling-looking site, or you can pay a Web designer to customize it for you.

2. Open the door to interaction. Make sure you spell out on you website what your small business does, who it serves, and where it’s located. That sounds obvious, right? But it’s surprisingly easy to overlook the basics when you’re the one building it. Include an obvious way for people to get in touch with you.

3. Start a database. As Chris Brogan has pointed out, a customer and prospect list is key to any kind of successful engagement. Even a simple spreadsheet will do. This will help you stay in touch with people who have left comments and feedback and who have voiced interest in staying up to date with you and your business.

4. Start publishing. Use your customer database to start a newsletter for your customers or your vendors. Launch a blog and commit to refreshing it two or three times per week, and allow users to subscribe to your content via RSS or email. Use a simple Flip camera to create customer testimonial videos onsite, at trades hows and events. Upload them to YouTube.

5. Get a smart phone. Business today is global, mobile and social. For many businesses, geographic boundaries don’t exist, and you can extend your reach via social media to anywhere in the world. If you don’t have an iPhone, Android, Blackberry, or some other smart phone, get one today with an unlimited data package and spend time texting, browsing and communicating in the medium.

6. Don’t stall. Do something now. You don’t have to do everything, but you do have to do something. The best way to think about how to move forward is to envision ways that new tools can strategically extend your business (your message, products and services). Today is as good a day as any to start. After all, your competitors are…

Scott Nelson

VP Marketing, ProPay