TRUNCATION and other Merchant Account Info you should know

Here's some terms related to merchant accounts and credit card processing that I should know about:

TRUNCATION - When only some digits of a customer's card number appear on a sales draft or receipt to  provide better security while still enabling  identification (for the cardholder) of the card used;  it’s required by federal law (since 2006) that no more than the last five digits of a card may be shown on a receipt.

TOKENIZATION - Replacement of sensitive data with a unique identifier that cannot be reversed mathematically;  commonly used in payments to replace card data.

ADDRESS VERIFICATION SERVICE (AVS)  - The process of validating a cardholder’s given  address against the issuer’s records to determine accuracy and deter fraud; a code is returned with the authorization result that indicates the accuracy of the address match 

These are samples from Litle & Co's Payment Dictionary which is available as a free download. Very cool. Thanks Litle!

Paypal as a Merchant Account Vendor: PCI Compliance & Chargebacks

I received an email from Paypal, who we use as a merchant account vendor, about how to avoid Chargebacks. It's a pretty good resource. I've excerpted a bit below.

In contrast, they've never contacted me about PCI compliance which I think is amazing. I've always believed that PCI compliance is required for everyone who takes credit cards.  I would count as a tier 3 vendor since I don't store any credit cards and my only obligation to be PCI compliant is to:
- ensure my merchant account is PCI compliant
- have my site checked by an authorized reviewer annually that it is clean and strong so that when we pass the credit card numbers, there's not problem. But I think they, as my merchant account vendor, are obliged to make sure that I am aware of these issues and in compliance.

• What's a Chargeback?
• Fighting Chargebacks
• Avoiding Chargebacks
• Chargeback Fraud

A chargeback, also known as a reversal, is when a buyer asks their credit card issuer to reverse a transaction after it has been completed. It is available only to users who make a payment funded by their credit or debit card.

There are three main reasons a buyer will do this:

1. The purchased item never arrived.
2. The item was significantly different than advertised.
3. Their credit card was used without their permission to purchase the item fraudulently.

Chargebacks are initiated and handled by the buyer's credit card issuer - not by PayPal - and therefore will follow that company's regulations and timeframes. That said, PayPal often plays a role in resolving chargeback disputes.

Usefulness of Amex Statement to Consumers

I wen thru my Amex bill today in some detail. It's a big bill, it's my corporate one. A few things popped out at me.

1. There's no way to distinguish a recurring subscription bill from a one-time bill.  This is annoying. It would be easy for Amex to put the monthly bills in one part of the account. Or force vendors to have some sort of more useful description such as:
- retail, card present
- online purchase,tangible goods, card not present
- software subscription, monthly payment, recurring until cancelled
- annual subscription, not recurring, card not present

Now I think the same problem exists with Visaand Mastercard but I think they have really taken a minimalist aproach to providing information on transactions to consumers.  In fact, each vendor has already passed all this info to their merchant account vendor.

In a related area, I'm trying to fix up how our online educational service appears, when it goes through Paypal as a merchant service account, on the customer's bill......I just wrote them....

We usually like PayPal as our merchant account vendor and over the last few years, have been moving increasing amounts of our business towards you. You probably handle about 25% of our merchant account business.

I just realized from your email that there is no record kept of messages sent to Paypal within the account through the "contact us" function. That's not a quality design. I should not have to type this all over again.  But I will. I'm hoping to just give you good feedback.  Will you make a point of passing that on? Specifically, there should be a record kept of the messages sent within the contact us form to paypal.  Thanks.

There's two core problems in how we appear on the Amex credit cards of our users.

1. Our name.  We are xyz, not xz. (obviulsy, I'm ot putting up our real name but you get the idea).

2. The categories. . I run an online educational service for K12 education. I'd like the receipt when people pay for the service to accurately reflect what we do.  But, we have spent a great deal of time looking at the choices and pulldowns that Paypal provides and we cannot find any of them that are adequate.  This is a real problem and causes a fair amount of really counterproductive discussion with customers about the bill. 

I start under the Profile, My Account, Review/Edit your information.  We are in the education business. Paypal does have an education category. There should be under education, a subcategory of "digital content".  There's not.

Under Education, the choices are:

Education -Subcategories

- Business and Secretarial Schools

- Child DayCare Services

- Colleges and Universities

- Dance Halls Universities and schools

- Elementary and Secondary Schools

- Vocational and Trade Schools

Obviously, it is deceitful and somewhat illegal in some states for interactive learning websites, tutoring services, educational services etc to call themselves schools so this creates a real problem.

Under Books and Magazines,  there's a subcategory called "Educational and Textbooks".  But we're not a book or magazine.

Under computers, there's  "Digital Content" or "Software" or "Training Services"

Under "services other", there's nothing particularly relevant.

Bottom line, I'm listing SpellingCity as "Computers, Digital Content." I just switched it from Education, Secretarial Services which was  clearly wrong, it's just not clear what else is better.

Anybody know why Paypal can't or doesn't give better choices?

American Express Privacy Statement - Clear but troubling

ri

I looked closely at my corporate AMEX bill this month and noticed some things that amazed. One was that they had a very clear well-written easy-to-read statement about their privacy. BRAVO.

Secondly, their statement basically was that I have no privacy. Thgey are basically saying that all of my transactions can be used for their purposes and their affiliates purposes. These can be used for marketing and for "everyday business" purposes.  Even my social security number and income, which I assumed had some privacy around it, can be broadly shared to anyone that they decide to "affiliate" with.  Affiliate is defined later on as companies they own or control.

There's also directions on "opt-out" which will limit how much cirect marketing comes to us.  It does not opt out of other sharing of my data.

Paypal Called this Week - How about "Buy Now, Pay Later?"

I got a call from Paypal this week,  I took the call expecting trouble. What was wrong now? Instead, the nicest lady from somewhere deep in the Midwest (Paypal's initial HQ I think) was on the phone and she was pitching a new product from Paypal. We use Paypal as a merchant account on one of our sites that does over a $1M a year selling annual subscriptions in the $30, $50 and up range.

She basically wanted to know if we would add a: "Buy Now, Pay Later" banner onto our site and sale funnel.

I guess a lot of merchants have.  Of  course, every car and appliance and real estate salesman knows that extending credit at the point of sale is part of the deal.  But websites too?

Paypal says that: "Bill Me Later® is the simple, flexible credit line built-in to your PayPal account. Apply now and get a decision in seconds."

I declined to sign up  at the time but I did start thinking about it.

I was also very impressed by the sales lady. She was an actual Paypal employee and had been there seven year. She's at what sounded like the starting point of Paypal somewhere in the MidWest.

Credit Card Recurring Bills, do you use tokens?

Our business is based on monthly recurring billing but our architecture, set up nearly a decade ago, is stupid.  Basically, when a user signups, we put their credit card info into our merchant account at the credit card processing place and tell it to bill them monthly. If they cancel or make changes, we go in manually and change it. If their credit card declines, we get the report and also go through it manually. Lots of man hours.  Some mistakes. Yick.

It seems that a better system would be to start by placing the credit card at the vendor's shop (ie no change) but then to trigger the billing by sending over a file, presumably daily, of who to bill and how much. This is the "token" part.  As part of this, we should get back a decent automated report of successful  and not successful billings.

Is anyone out there who is a small business (tier 3), say under $25 million, using tokenized billing for recurring credit card billing. I'd like to share experiences.

John

Money Transfers: Paypal vs Bank of America. BOA is a Loser!

On May 31, I went online and moved money out of Paypal and BankAmerica accounts. They both talk about it taking a few business days.  May 31 was the Friday of Memorial Day weekend. I did the transfers after 5pm EST but I think, around 7pm.

On the morning of May 3rd, the Monday, the cash from PayPal had arrived in my account (it's a Fidelity account). I think it had a hold on it for the day but I'm not entirely sure.

This is now the morning of Wednesday, May 5th, and the Bank America transfer has still not shown up in my Fidelity account.  Very annoying.

The amounts involved are in the tens of thousands of dollars.  I'm very aware of the timing since I'm getting ready to make some big payments and I don't want to send those checks until the cash has arrived. I had always assume that bank wires or transfers were pretty much standard and instantaneous but now I see that they aren't. At least, they're not from Bank of America.

Bank America Choices on Transferring Money 
Outside of the Bank
Notice that for an extra $7, we can accelerate our transfer by two days.  I suspect that the reality is that if you pick the first one, they build a two day delay into the transfer process so that they can force people to pay for them to remove the two day for $7. This is what we all hate Bank of America.

Delivery within3 business days:  $3 fee, ACH transfer 
8 PM ET cutoff time   Delivery onNext business day:  $10 fee, ACH Transfer
8 PM ET cutoff time    Delivery onSame business day:  $25 fee, wire transfer Delivery time is shown immediately below.
5 PM ET cutoff time   

Paypal Choices for Withdrawing Money

Here are the ways to use the money in your PayPal account;

(Only one copied over!)

 Processing                                                                    Time                          Cost
 Transfer money to your bank account                3-4 business days        Free!

PCI Compliance for Small Businesses

I've researched and written before about PCI compliance for a level 3 vendor (back in 2009), this time I'm  trying to see the general situation for small business PCI compliance.

As background, it seems like everyone takes credit cards these days.  Between Paypal helping people take credit cards and the little attachments for our smart phones, it seems like a routine activity that does not incur any special obligations or concerns. But this is wrong, not true. There are some clear lines that companies cross as they take credit cards for payment. Once these lines are crossed, there are more legal obligations to maintain security and financial risk.

The rules are developed and described on the website of PCI Security Standards Council. The council was founded and is run by the credit card companies to have a joint system on security. Specifically by American Express, Discover Financial Services, JCB International, MasterCard Worldwide, and Visa Inc.

PCI's page for small business proclaims: 

Small MerchantsYou must secure cardholder data to meet Payment Card Industry rules! Small merchants are prime targets for data thieves. It’s your job to protect cardholder data at the point-of-sale. If cardholder data is stolen – and it’s your fault – you could incur fines, penalties, even termination of the right to accept payment cards!

I'm in the SAG category of "card not present": 

A	Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. This would never apply to face-to-face merchants.

  The PCI site then has a self-assessment questionaire which should be filled out and submitted.  Here's a critical part of the intro:

Once filled out, the self-assessment questionnaire should be submitted to the acquirer. My acquirer has never asked for one. It's not clear to me how often I'm supposed to submit it.  And when I've asked around, I've never found another online retailer who has ever heard of or filled out this questionnaire. Any thoughts anybody?
----
Plusbyems. Thanks for your great response and the call out. Here's a live link to your post: http://plusbyems.wordpress.com/2013/01/28/in-response-to-our-friends-at-credit-cards-online-101-on-pci-compliance /

Credit card disputes - New York Times

This morning's NYT has a long informative article on disputes. Although I'm deeply involved with businesses that are 80% paid for by consumer cards, I learned a bit about how the banks look at and think about dealing with requests for chargebacks. It turns out to be an expensive and difficult process for them too.

Here's some excerpts from Disputing a Charge on Your Credit Card..  

f you have ever disputed a charge with your debit or credit card company, you know what a potent weapon this type of complaint can be. The card issuer generally takes your word against the merchant or service provider at the outset, restores the money to your bank account temporarily or issues a credit and then goes about its investigation. It essentially demands that the merchant or service provider who supposedly did you wrong prove that it did no wrong at all....You have had the legal right to correct these mistakes ever since 1975, when the Fair Credit Billing Act went into effect. The law dictates that there be a process by which you can question unauthorized charges, billing errors and transactions involving goods or services you never received or merchants did not deliver in the way they were supposed to....

This creates problems for merchants. Plenty of people pretend that they never received products that were supposed to arrive by mail and then dispute the charge, hoping their card company won’t be able to figure out that they are liars and thieves.

The rest require a lot of manual labor. Every time someone initiates a dispute, the bank that issued the card must look into it. Someone has to contact the merchant and wait for a reply that may include a receipt or other documentation.

Merchants must carve out time to respond to each dispute. They also pay one-time fees for the privilege and may end up paying higher overall fees to accept cards if disputes are too frequent. Or they just get cut off from accepting cards altogether.....many banks will simply absorb the disputed charge on a consumer’s bill and never contact the merchant if it is below a certain threshold.

That number will differ for every bank, though it probably averages around $25. Some large retailers, it turns out, have similar strategies, according to a 2009 Government Accountability Office report. So even if the bank contacts a merchant about the dispute, the merchant may allow the customer to win the dispute without bothering to investigate the complaint. The report did not say what the threshold was, and the G.A.O. is not permitted to identify the retailers it spoke to.

...“When you go to a bank’s Web site and you see a button that says, ‘Dispute This Transaction,’ it doesn’t say that this is going to hurt the merchant and could actually increase the costs of buying a service from this business,” she said. “It just tells you that there’s a quick and easy way to cancel your subscription right here. And you can get a refund! If you don’t want to pay your whole bill, just click on this button.”

...The proprietors at Enchanted Attire, an online clothing retailer, wish to inform you that “you agree not to file a credit card or debit card chargeback with regard to any purchase” and that “in the event that a chargeback is placed or threatened on a purchase, we also reserve the right to report the incident for inclusion in chargeback abuser database(s) of our choosing.” Oh, and by the way, “being listed on such databases may make it more difficult or even impossible for you to use (any of) your credit card(s) on future purchases with us or other merchants.”

Movers have been known to do this, too.This violates Visa’s and MasterCard’s rules, for starters, and none of the experts I spoke with this week knew of anyone keeping a database for this purpose that merchants could contribute to and that other merchants could gain access to.

Very interesting article.  I think there should be a database of consumer repeat offenders. We find that 99% of the people deal with us with integrity and good intentions.  We certainly try to deal with them that way. But a few times each year, we realize that someone has been working and scamming us with repeated calls and approaches to us which result in us cancelling or refunding their bills.  Eventually, when we realize that we have a customer committed to not paying us and getting service, we refund ALL of the money that htey'v ever paid us and ban them from our service.  I'm not sure how the dollars and cents actually works out but it does wonders for the morale of our service center.