Ask The Coach
Your Questions Answered

Below, you’ll find a list of the most common and important questions business owners like yourself ask when considering their processing needs. Simply click on a question to expand it’s answer:

According to the PCI (Payment Card Industry) Security Standards Council www.pcisecuritystandards.org website, “From the world’s largest corporations to the small internet stores, compliance with the PCI Data Security Standard (PCI DSS) is vital for all merchants who accept credit cards, online or offline, because nothing is more important than keeping your customers’ payment card data secure.” They further go on to state that any business that stores, processes or transmits payment cardholder data must be compliant. The more transactions you process the more actions are required to safeguard the data. “PCI DSS (Data Security Standards) version 2.0 is the global data security standard that any business of any size must adhere to in order to accept payment cards, and to store, process, and/or transmit cardholder data.”

Your processor must be compliant but your business must be compliant also. If you are accepting payment cards then you must be compliant. Your business actually wants to be compliant to avoid the fines in the event of a data loss. In becoming compliant many businesses take actions that help avoid some of the more common sources thieves use to gather payment data. In doing so you are protecting your clients’ data.  

It varies on how you process your payments as well as the volume of transactions. These are the 12 requirements according to the PCI Security Standards website – the official organization set up by Visa/MasterCard/Discover/American Express.

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need to know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for all personnel 

If you do not store process or transmit credit card data then you might be the possible exception to the PCI DSS requirements. Keep in mind that your website is basically considered you so that if your website is accepting the payment then you are processing, transmitting or storing. If you use a secure approved gateway to collect all the data (not just go there when you are ready to complete the check out) then your requirements will be minimum since the gateway will be taking most of that responsibility for you but you still have responsibilities.Make sure they provide you with something in writing saying they will take full legal responsibility in the event of a data breach/data loss.  

The average cost for a small business that lost data in 2010 was between $25,000 and $50,000. Some studies have shown that 50% of those merchants had to file bankruptcy. If the card brands even think there has been a data loss they can send out the forensic team to investigate. The business is responsible for the cost of this team which typically runs a few thousand and increases with the more time they have to spend investigating. The business is responsible for all the costs associated with the breach which includes but is not limited to the cost of notifying the card holders, cost of issuing a new card, cost of investigation by the card associations, cost of fraud investigation by the card issuing banks. If the business is not PCI compliant, then there are additional fines for non-compliance. They also have the right to eliminate payment processing as an opportunity for you which would be very challenging.  

Many processors have partnered with an approved vendor to track and monitor compliance. These vendors often provide vulnerability testing as well as the assessment questionnaire. Some processors’ programs provide financial support for certain payment network fines and the cost of the forensic audit although the amounts vary with program and data loss specifics. Other costs vary by incident and state and may or may not be covered.  

Most processors require you to sign a contract where you agree to abide by the industry rules and specify the processors requirements. Commonly these are three year contracts with a financial cost for early termination ranging from $250 to several thousand dollars so read your contracts carefully. If someone has told you it doesn’t apply to you then make sure you get it in writing. Most legal departments will not allow you to cross off part of the contract so they will provide an addendum specifying that there is no cancellation fee.  

Yes, many vendors now offer programs for small or “micro” merchants. Most offer a flat rate plus a transaction fee with a possible monthly fee and annual fee. Keep in mind that you still have the PCI requirements so look for a company that offers coverage which includes this feature.  

Yes, we have a program for businesses that process under $25,000 per year in Visa, MasterCard and Discover (American Express has its own rates). You pay a $10.00 monthly fee and then 2.75% + .29 per transaction for swiped transactions or 3.5% + .29 for keyed transactions which includes internet transactions. It includes our virtual terminal and you can purchase the swipe wedge that attaches to the pc for under $100. There are no annual fees and no termination fees on this program which is provided on the contract addendum. Our program includes the PCI program where you can get up to $100,000 of financial coverage if you are PCI compliant to provide business owners with peace of mind.

Example: If you process $500 in five payments of $100 which was key entered then it would cost you $28.95. Here is how that worked our $500 x 3.5% = $17.50 and the five transactions would cost 5 x .29 = $1.45 so your total cost would be $17.50 + 1.45 + 10.00 = $28.95.

Several processors will provide you with equipment free of charge. Don’t forget about that three year contract where the cancellation fees tend to be higher to make sure they have recouped their investment in the equipment. As all good businesses, they have to make up for the cost of purchasing that equipment which is usually in the terms of higher rates on the rewards, commercial and non qualified transactions. Recently it has been helped by the Durbin Amendment and additional savings they are getting from lowered wholesale rates on regulated check cards.

Some of the equipment for cell phones is very inexpensive on the wholesale level but some of those models encrypt the data before sending it to the processor but not necessarily at the point of the swipe. Could that data be stolen before it is sent? Is it worth the chance? There is equipment which can read the magnetic stripe on your credit card if they can get within a few inches of the data while it is still in your purse or in your pocket. If they can do that, do you think they can read a cell phone if it isn’t encrypted?

It really depends and you should check with your CPA regarding this issue since it has tax implications. Today’s equipment has come down in price relative to what equipment cost a few years ago so it is more manageable for most businesses. Terminals costs under $200 with dual systems (they can use dial tone from the phone or internet protocol) for $350 and the new models are already set for EMV (Euro-pay MasterCard Visa) so you will only need an upgrade to the system. EMV is the chip based technology that is currently used in Europe and more recently Canada. It is very effective in reducing fraud at the point of sale which is why it is mandated to be used by 2015 in the US.

The downside to a lease is the overall cost of the equipment is much higher usually costing the business two to three times the purchase price. At the end of the lease you may be able to purchase it for a small buyout or it will convert to a month to month lease.

It really depends and you should check with your CPA regarding this issue since it has tax implications. Today’s equipment has come down in price relative to what equipment cost a few years ago so it is more manageable for most businesses. Terminals costs under $200 with dual systems (they can use dial tone from the phone or internet protocol) for $350 and the new models are already set for EMV (Euro-pay MasterCard Visa) so you will only need an upgrade to the system. EMV is the chip based technology that is currently used in Europe and more recently Canada. It is very effective in reducing fraud at the point of sale which is why it is mandated to be used by 2015 in the US.

The downside to a lease is the overall cost of the equipment is much higher usually costing the business two to three times the purchase price. At the end of the lease you may be able to purchase it for a small buyout or it will convert to a month to month lease.

Tiered pricing is when the processor has grouped wholesale rates into bundles to make it simple and easier for the merchant to understand. On the wholesale level there are several hundred rates that a card can qualify at when it is processed through the brands i.e. Visa/MasterCard/Discover. Some are industry specific while others deal with type of card – rewards, business, internet, international as well as various subcategories within these types. Usually they have 3 or 5 tiers. Cost plus is the wholesale amount plus a set mark up for the processor. Cost plus is the most fair to the merchant in my opinion especially since the passage of the Durbin Amendment.

This is really difficult as most statements are confusing unless you are industry veterans and merchants don’t have the time to stay up on the individual rates, why a transaction qualifies at that specific rate and whether you can improve your rate. An overall gauge we use is the effective rate excluding the statement fee and PCI fees. If your effective rate is over 2.3% on a merchant account that processes $25,000 per month your rate is probably high especially as we are seeing the effective rates drop because of the Durbin Agreement. However, this is not always true as international cards are much higher and if you have a lot of international clients your effective rate can be higher. The best way to know is to get an analysis done on your current rates which can be done by your current processor or you can find another trustworthy processor and get their rates.

Leave a Reply

Your email address will not be published. Required fields are marked *