Entries tagged with “PCI DSS”.


There are several types of hidden fees payment processors can charge you. If you don’t look out for them, then you might wind up paying much more than you first anticipated.

One source of such fees deals with ownership. Will your business own the payment processors or will you merely be leasing them from another business? If you own the payment processor, then you just have to pay for the initial purchase. But if you lease it, you’ll probably have to pay a monthly or yearly fee.

Before buying a payment processor, you should ask everything you can about ownership and related hidden fees. Here are four questions that a recent Small Business Computing article suggests:

  • Are they providing the equipment as a rental?
  • Do they want to lease it to you?
  • With sufficient cancellation notice, can you return the equipment without being charged for it?
  • Can you purchase the equipment outright (ahead of time)?
  • Cancellation is an important one. You’ve probably already dealt with this at one point or another with your cell phone provider. Businesses love to create contracts that trap you for a long period of time. If you decide to lease your payment processor, then you might unknowingly enter such a contract. You can avoid this by asking about their cancellation policy first.

    The lesson here is always to ask before signing anything. When you buy a payment processor, you need to know whether you own it or whether you’re entering a lease.

    To talk more about payment processors for small businesses, or anything else, please contact us. Thanks.

    Running a small business requires a whole lot of patience and an even larger amount of decision making
    skills. As part of the decision making process, managers and business owners have to decide on details
    such as, what payment processor to go with. Approach your decision making process with a clear mind.
    With these 5 tools, you will be sure to make the right decision for your small business.
    1. Compare Fees and Associated Rates

    Fees and associated rates are just two things that most credit card processing companies try to
    manipulate customers with. Although some companies might provide seemingly low rates, look
    for associated hidden fees—that’s usually how they mislead customers. Compare fees for both
    swipe and keyed rates because they will be different.
    2. Evaluate Point-of-Sale Solutions

    Point of sale solutions, or POS is when a customer makes a merchant payment in exchange for
    goods or services. During the POS, the merchant calculates the amount owed and provides a
    payment solution. When evaluating POS, look at what equipment and software are available to
    either rent or lease. Compare and contrast the benefits that equipment and software companies
    are offering. Evaluate what your business needs and compare it to what companies are offering.
    3. Not all Payment Processors are Equal

    When you start to evaluate which payment processing company is good for you, remember that
    not all payment processors are created equal. Meaning that although some companies rates
    might appear to be lower than their competition, their hidden fees might actually result in their
    fees being equal to their competitors.
    4. Evaluate Security & Fraud Assistance

    Are fraud detection and protection services included in the pricing? Or are they being offered at
    an additional charge? As two of the components that can ultimately save your business tons of
    money, security and fraud assistance are a must-have. Make sure your credit card processing
    company can provide you with these services at a price you can afford.
    5. Assess Monthly Minimums and Caps

    Did you know that it typically takes between 24 and 72 hours for funds from a sales transaction
    to be deposited in your account? Make sure your credit card processing company can guarantee
    the transferal of funds within at least the 72 hours.
    For more on learning how to select the ideal payment processor a team member at ProPay is here to help, contact us.

    In the world of merchandise processing, there are two different types of transaction processing: swiping and keying. With the constant accessibility to mobile devices such as tablets, smartphones, and laptops more and more merchants are using swiping, but why? In order to fully understand why more merchants are swiping cards versus keying them in, let’s take a look at the difference between swiping and keying credit cards.

    Swiping vs. Keying Credit Cards

    The difference between swiping credit cards and keying them in is pretty self explanatory, when swiping you have to have the card present and it typically requires either a mobile device with a swipe adapter such as ProPay’s JAK, or a computer/register with an internet connection. Whereas when you key a credit card in, merchants have to hand enter every card number and the credit card doesn’t actually have to be present. So, why are more merchants avoiding keying credit cards? Three reasons: fraud, savings, and convenience.

    Fraud Rates

    The biggest reason not to key in credit cards is plain and simple: fraud. Because merchants don’t actually have to have the credit card present with keyed payments, the chances of fraudulent transactions are a lot higher. Because most thieves steal credit card numbers instead of the card itself and then make by-phone or online orders, the card itself is never seen. Avoid these types of no-swipe fraudulent transactions altogether and only allow customers to pay for merchandise when they have the card present.

    Savings

    Because there is a higher fraud rate for credit cards that are being keyed in, credit card processors charge a higher rate for keyed transactions compared to swiped transactions, in order to protect themselves against any false transactions. How much more money do they charge? About .5% more per transaction. For example, credit card processors typically charge around 3.5% for keyed transactions, whereas ProPay only charges 2.29% for keyed transactions.

    Convenience

    Have you ever had to hand enter someone’s credit card only to realize you misentered one number and you have to start all over? With swiping, you never have to worry about that problem again. Also, you can swipe anywhere, at anytime—giving you the freedom and mobility your business needs in order to stay prevalent in this economy.

    To learn more about swiped rates visit ProPay online.

    A major national insurance company announced this week that its network had been compromised and more than 1 million customer records were stolen. Among the data included in the breach are “people’s names and a combination of Social Security numbers, driver’s license numbers, their date of birth, and possibly marital status, gender, and occupation, as well as the names and addresses of employers.”  A company spokesperson said that there is no evidence that credit card information or medical information was involved in the breach.  Affected individuals are being notified and offered free credit monitoring services.

    It is interesting to note that this is the latest compromise in which sensitive personal information was stolen, while credit card data seems not have been involved.  A few months ago, South Carolina had a similar type of incident in which social security and banking information was compromised, while the encrypted cardholder data remained secure.  Now, I don’t have any details or knowledge of these events outside what is printed in the releases or articles, but it does leave me thinking of a very important reminder: PCI DSS only addresses cardholder data, not any other sensitive personal information.  Birth dates, routing numbers, social security numbers and other sensitive are left out in the cold with respect to PCI DSS, though they merit just as much, if not more, protection than cardholder data.

    PCI DSS only applies to cardholder data.  It provides a baseline of protection for credit and debit card information.  Nowhere in its requirements does the PCI DSS require companies to protect social security numbers, bank routing information, birthdates or any other sensitive information.  Many companies take great pains to comply with PCI DSS and the standard has done a lot of positive things for an industry that desperately needed to implement strong security.  However, simply being PCI DSS compliant does not mean that all the sensitive data in an organization’s environment is protected.  A serious obstacle to overall security arises when companies believe that compliance with PCI DSS equates to security.

    PCI DSS provides a good launching point for security initiatives.  Many of the requirements contained in the standards are best practices (if not requirements) for other types of data, as well.  It is tempting, particularly with so much focus on compliance, to focus on PCI DSS and cardholder data to the exclusion of everything else.  It’s important to remember, though, that companies have many types of data in their networks.  Companies would be well-served to conduct a data inventory, find out what they really need and what they don’t need to keep.  If it is needed, then it should be adequately protected. If it is not needed, it shouldn’t be stored.  Excess data is excess liability.

    “The times are tough now, just getting tougher  - This old world is rough, it’s just getting rougher - Cover me, come on baby, cover me” – Bruce Springsteen 1984

    Businesses work very hard to build their brand.   Small businesses are no different.  Establishing trust and loyalty among the customer base is essential to the longevity of any business.  Many companies focus on marketing and sales relationships to ensure that connection between customer and company continues to grow.  Social media, direct mailings, radio and tv advertising, print advertising, and data security and privacy policies all contribute to the growth of brand trust.  What a minute!  Did I say data security and privacy policies?  You betcha!  This is what I like to refer to as “brand security.”  Businesses spend an inordinate amount of time and money on establishing a brand that customers trust.  One of the fastest ways to lose that trust is to suffer a data security breach or to violate customer privacy.  For that reason, I often refer to data security and privacy programs as “brand cover.”

    I’m going to borrow heavily, and probably poorly, from law enforcement and military actions here.  When you go into action, you generally have a forward team and then you have a team that provides “cover.”  This team keeps an eye out for threats that may not be visible or apparent to the forward team, but pose significant risk.  In the business world, one can think of your sales and marketing efforts as the forward team, while data security and privacy programs provide the cover.  You marketing and sales efforts move the company forward and increase awareness.  Your data security and privacy programs help to mitigate unseen, and sometimes unknown, risks to your brand’s integrity.  In fact, some larger organizations, particularly not-for-profits, are more concerned about brand damage in the event of a security or privacy compromise, than they are the fines that may be associated.

    For small businesses, implementing and enforcing data security and privacy policies can seem daunting.  The Better Business Bureau, though, has put together a primer for businesses to help them develop these programs.  If you accept debit and credit card transactions, you can look for services to help minimize how much of that sensitive payment data your business stores.  You can also undertake an inventory to see just what data you are collecting and storing and how you are protecting it.  You can also evaluate the partners that you use and how you share data with them. Understanding your data can ultimately serve as a very effective means of protecting your company, your brand, and your customers.