Payment Processing – Security

Payment Processing - Security
You ever wonder why more and more security doesn’t seem to make it any safer to accept credit card payments?

Is It Safe To Accept Credit Cards

All types of payment require some form of security, and if you’re processing credit & debit card payments there are steps you need to take to minimize risk. But just like you need to worry about your customers stealing from you, merchant service providers need to worry about merchants committing fraud. Therefore, you’ll see a number of step taken by merchant service providers to minimize their risk, and these could cause you cash flow problems if you’re not careful.

Merchant Service Providers Can Freeze Your Funds

When it comes to the world of processing card payments, there is no such thing as cash and carry. You’re paying a price for the convenience of accepting credit/debit cards, and part of that price is you have to enter into a contract with the merchant service provider. As part of that contract you could be subject to the following policies:

Chargebacks: These are the result of a customer disputing a transaction. This is usually due to a stolen credit card or otherwise unauthorized charge. Sometimes though, the customer might not recognize the charge on their statement. Either way, when this occurs you’ll get a chance to make your case that the charge was legit, but the funds will be frozen and removed from your account for weeks or even months until the situation is resolved. Then if you lose you will never see those funds again.

Funding Holds: These are more rare, but are essentially the result of a transaction that hasn’t been charged back yet, although the processor has reason to believe it will be. These holds normally last 90-180 days and are more rare with established accounts. Basically, as long as the merchant account provider knows they can collect in the event of a chargeback, they’re less likely to put a preemptive hold on funds.

Rolling Reserves: These are industry standard and is one of the main differentiating factors you should consider when shopping for a Merchant Service Provider. Just like when you start a job you don’t get paid right away, when you start collecting payments you can expect to wait anywhere from a week to a month or two before the payments are available for withdrawal. Although you agree to the rolling reserve period when you enter into the contract, they can be modified later on depending on the wording of the merchant contract you sign.

Account Termination: If you violate the terms of the merchant account contract, or if your risk level increases too much, the merchant service provider reserves the right to terminate your account and hold your funds for up to 6 months.

A good rule of thumb is to be able to live without a credit card payment for up to 90 days when you accept it. So, you’ll want to make sure you have emergency funds to account for these possibilities.

Factors That Determine Your Risk to the Processor

So now that you know what to expect from the merchant account providers, let’s take a look at some of the things they’ll use to determine your level of risk to them.

Business Type: Payment processors spend a lot of time and money analyzing risk by a number of factors, and one of these is grading out risk by business type. Each industry has unique traits that lend themselves to various levels of customer disputes, fraud etc. There some merchant service providers who won’t even touch businesses in certain industries due to the inherent high risk.

Age of Business: Simply put, the longer your track record of processing payments with little to no issue, the lower your risk to the processor. This means when you’re setting up a new account you can expect your terms will be less favorable than once you’ve become established.

Transaction Size: It’s important to be accurate with your application where it asks your average transaction size. Payment processors use sophisticated algorithms to assess risk and when transactions don’t look how they expect them to, your account is more likely to get flagged – and a flagged account means frozen funds and cash flow issues for you.

Processing Volume: Again, it’s important to be accurate with your application here as well. Big changes in the processing volume can trigger an account review.

Transaction Type: There are a number of ways to process payments including swiping, dipping, manual entry, online and even NFC (contactless), and all of them come with their own levels of risk to the merchant account provider. The lowest risk are contactless NFC and chip readers (dipping), with card swiping a little less secure. Online payments and manual entry are the least secure, so the more of these types of sales you have the higher your risk of chargebacks and other things that can get your account reviewed.

Chargebacks: Customers can dispute a charge for any reasons. Sometimes it’s a because they don’t believe they authorized the charge, sometimes it could just be because they don’t think the product or service was as described or expected. You will want to keep a close eye on how many chargebacks you have and do everything in your power to refund transactions that might lead to chargebacks before they do, since too many chargebacks will result in your account being flagged and potentially terminated.

Keep in mind that using a third-party payment service provider (PSP) might be more convenient than going through the process of setting up your own merchant account, but you are more likely to have your account terminated using a PSP than you would if you have your own merchant account. Something to keep in mind.

EMV Compliance

EMV Compliance for small businessesEMV = Europay, MasterCard & Visa, and it originates from a standardized protocol developed by these organizations. The purpose of the protocol they created was to develop a common hardware platform to make it easy for retailers to accept “chip cards”.

Technically, the “chip” in the chip cards is actually a small integrated circuit, and the EMV-compliant hardware readers read the data from this integrated circuit instead of from the magnetic strip like the older style cards. This matters, because of the way the integrated circuit on the card is read dynamically by the EMV-compliant card reader, making it much more secure. Older style cards have static information encoded into the magnetic strip on the back, making it much easier to skim and copy.

If you don’t use an EMV-compliant card reader you can be held financially liable for unauthorized or fraudulent transactions that you process.

PCI Compliance

PCI DSS Compliance for small businessesPCI Compliance refers to the Payment Card Industry Data Security Standard (PCI DSS), a set of data security standards developed by the PCI Security Standards Council. This council is a joint effort consisting of Visa, MasterCard, American Express, Discover and JCB International to ensure the integrity of the card payments system.

The easiest way to maintain PCI Compliance is to use a payment processing provider that stores all of the sensitive data on their own systems. You don’t want your customers personal data and credit card numbers on your own systems since that just makes you a target for hackers. PCI compliance will be covered in your merchant service agreement, and in most cases the responsibility of maintaining PCI compliant hardware and software is handled by them.

If you want to handle this data yourself though, you will be required to maintain PCI compliance and that can be a real pain. The complexity involved will be largely dependent on how many transactions you handle, but you’ll be required to complete a questionnaire and probably consent to a third party system scan.

Our general advice is if you’re not even sure what PCI compliance is at this point, you’re better off working with a payment processor that covers it for you for a fee. It’s the same reason I pay to have my oil changed – I can do it, but I really don’t want to.