PCI Compliance…Are you at risk?

AS A MERCHANT, HAVE YOU EVER...

• Processed a credit card transaction at your business and noticed the receipts contained the full credit card number and the expiration date? How about your copy of the receipt? If so, you are NOT COMPLIANT AND AT RISK.
  
• Stored credit card numbers in a binder or on your computer in a spreadsheet for recurring billing? NON-COMPLIANT!!!
  
• Configured your router or computer and used a easy, generic password such as 1-2-3-4? HACKERS LOVE THIS….YOU, AND YOUR CUSTOMERS ARE AT RISK. Create your own password and never use default passwords.
  
• Had your terminal go down and started keeping credit card data written in a spreadsheet on your computer to charge the client later?
  
• Imprinted a card and written down the CVV data (3-digit security code on back or 4-digit code on the front of the card)?
  
• Not renewed your anti-virus software on your computer?
  
• Spent years storing your receipts in a shoe box in your back office?
  

You may have seen in the news in recent months of the huge data breaches that took place which resulted in millions of credit card numbers being compromised. A couple huge payment processors and a major retailer were hacked into. You would think that these types of entities are the main targets of these international fraudsters. However, due to increased security being put into place, hackers and thieves are beginning to focus their attention on small, local, mom and pop type organizations. Consequently, you absolutely need to be aware and alert for the safety of you, your business and your customers.

PCI DSS is the real buzz phrase in the payments industry these days. It stands for Payment Card Industry Data Security Standards. Compliance is a standard of security established for any business that processes credit cards. Whether you have a computerized POS system, process over a phone and do manual imprints, process through a credit card terminal or have an e-commerce website taking orders, PCI establishes a series of best practices and minimum security protocols that must be observed for your business type.

Through the Fair and Accurate Credit Transactions Act of 2003, Public Law 108 to 159, the U.S. congress preempted what some individual states mandated on credit and debit card truncation to set a national standard. Under Title 1, Section 113 of the act, only the last five digits of the card account number can be printed on electronically printed receipts provided to the customer. The laws vary by state regarding truncation of the merchants copy. Some states carry it even further and say that the expiration date can't appear on receipts either. To be on the safe side, I would suggest that you make certain that both copies are truncated totally. If your receipts are showing more than is allowed, contact your processor, or POS vendor, immediately and have them assist you in becoming fully compliant.

While you're at it, ask your processor about any PCI compliance fees they may now, or in the future, be charging you. Some are using this as a new revenue stream and charging excessive monthly, annual or a combination of both, fees with no corresponding benefits.

Check your statement monthly

I can't tell you how many times merchants hand me their credit card processing statement still sealed in the original envelope. But, I can't say as I blame them as many of these statements are difficult to decipher. In fact, most processors know, from experience, that a very small percentage of merchants really take the time to look at them. Good for them....bad for you.

If you feel that it is near impossible to really understand your statement, and all it's various charges, you need to ask the questions. You could contact your rep, if they're still around. The Customer Care department of your service provider, would be another suggestion, and they should be happy to walk you thru it, line by line. Or, you could contact me and with my years of experience, and I'll be able to help you figure it all out.

Often, you will see at the top of your monthly statement, something called "Important Notice" or "Statement Messages". Here is typically where you will see notes on upcoming changes to your statement and subsequently, your processing costs.

Here's an example of what I'm talking about. With the increased credit card fraud and data breaches of late, most processors are passing on some sort of "fee" to you to help "protect" you and your business. Typically, they will notify you in the Statement Message section of your statement of upcoming charges. One processor I know of, notified their merchants of a monthly $9.99 Data Breach Service fee that was going to be charged to them. They gave merchants a couple months for free with the opportunity to call in and opt out if they didn't want it. However, the majority of merchants never read those little notes and months later, some of them start calling in asking what the fee is and who authorized it.

I've also seen merchants that are still getting statements from processors that they previously did business with, and are still paying monthly minimum fees to because they never cancelled the agreement. This, of course, is just money being thrown away.

Probably the most disturbing thing I find is that, over time, a merchants rates have continued to rise, without the knowledge of the merchant because they haven't looked at their statement in detail each month. Or, there are services they are paying for, but not utilizing and therefore costing them unnecessarily.

So, the bottom line here is....how is this affecting your bottom line? Let me urge you, please, please, please, take the time, each and every month, to look at your statement in detail. Make certain that you fully understand every charge and why you're paying it. If, when you make your call, you feel as if you're getting the runaround, please don't hesitate to contact me utilizing any of the contact methods found on this blog.

Thanks for taking the time to check out my blog. Be blessed and be a blessing.

What's in your bucket?

Maybe you're wondering what I'm talking about here. Let me explain. In any kind of a tiered pricing model for accepting credit cards, your processor decides which "bucket" or tier they will put transactions. Okay, let's say you are on a Three Tier Pricing model. Your statement would have Qualified, Mid-Qualified and Non-Qualified transactions.

Typically, in this model, when you swipe either a debit or credit card, thru your terminal/software, it will be processed at the Qualified level. Usually, this is also your best rate as well. Now, let's say you hand-key a transaction from a phone order or simply a worn out card that your machine won't read. Most (not all) processors would then treat that as a Mid-Qualified transaction at a higher rate than your Qualified rate. Now, this certainly is justified because the costs to the processor, due to the perceived higher risk, is more so it is passed on to you. Typically, what falls into the Non-Qualified category would mostly be corporate type card transactions. However, some processors, knowing that their merchants don't know much about this industry, will clear even some Rewards cards in this Non-Qualified category. The big question here is, do you ABSOLUTELY KNOW what category ALL or your different transactions are falling into? You should! Ask your current provider to thoroughly explain and if they don't to your satisfaction....find another provider. Now, of course, you could simply go to my website and purchase my ebook on credit card processing. It has received rave reviews in educating merchants around the country.

Maybe, you are on a 4 Tier Pricing model. In this case, the 1st Tier would represent debit cards swiped. The 2nd Tier would be credit cards swiped. The 3rd Tier would be hand-keyed and some Rewards cards. And last, but not least, the 4th Tier would mostly be corporate cards. However, you still have this "bucket" situation going on here. Each processor can put whatever cards they want into any "bucket" they desire. Again, all the more reason for you to really become educated.

Over the past couple years we have seen a surge in Rewards type cards being issued and used. You possibly have one or more in your wallet. When customers go shopping in your establishment and they have a "generic" V/MC in their wallet and a card that pays them some sort of reward for their purchase, which one do you think they will use? Guess what! You pay more to accept them and, indirectly, you are helping the card issuing bank to pay the reward to the customer. It's kind of like paying them to shop with you. Nice huh?

I had a merchant show me a recent statement from their provider. They were informed that as of October 2008, Visa Rewards 2 cards that had previously been cleared as a Mid-Qualified transaction will now be treated as Non-Qualified. Keep in mind now that Visa didn't raise the Interchange Rate on these card types in October. The processor, seeing an increase in these in the marketplace, decided it was a great way to make more off the merchant. Oh, and also, the processor told them, in addition, they would be raising their Non-Qualified rates by .20%. Ouch! The, the DOUBLE WHAMMY!

The bottom line of all this is simply you need to get educated. If I can be of any assistance, there are numerous ways to contact me on this site.

Thanks for coming by