Transaction trends | March 2011
The Official Publication of the Electronic Transactions Association
Tech innovations, lower costs, and younger consumers push mobile payments to the forefront
Tips for Fostering Level 4 Compliance Adaptability Inspires ISOâ€™s Progress
&E xp oP rev iew
What Debit Interchange Regulation Means for You
20 11 ET AA nn ua lM ee tin g
See you at 2011 ETA Annual Meeting & Expo San Diego, CA May 10-12, 2011 Booth #608
From California to China. Every day, more travelers to the U.S. are making their card purchases on the Discover network. With more international acceptance partners than any other ®
network, make Discover your way of generating more tourist revenue.
HOLLYWOOD TM & Design © 2011 Hollywood Chamber of Commerce. All Rights Reserved. ©2011 DFS Services LLC
Transaction trends The Official Publication of the Electronic Transactions Association
Vol. 16 | No. 3
cov e r s to ry
8 Market Driven
By Kim Fernandez You’ve heard it for a while now, but 2012 may be the year for mobile payments. Experts explain why it’s finally a reality, who the early adopters are, and what bumps in the road lie ahead.
F EATU RES
12 Coaxing Compliance
By Julie Ritzer Ross Just 11 percent of Level 4 merchants abide by PCI security standards, compelling ISOs to encourage compliance by debunking myths, properly educating merchants, and more.
SP EC IAL SER IES
Startup Stories: First American Payment Systems
By Julie Ritzer Ross Adaptability and a proprietary products and services helped grow First American Payment Systems’ portfolio to more than 100,000 merchants.
20 2011 ETA Annual
23 Debit Interchange
This year’s new location promises outstanding networking opportunities, access to top industry partners, and all the business-critical education you need for success.
By Holli Targan, Jill Miller, and Sarah Weston As the industry anxiously awaits the official regulations to be issued in April, three legal experts examine possible effects and what they mean for the industry.
Meeting & Expo Preview: Let’s Go to San Diego
Proposed Regulation Dissected
d e partm e n tS
Insights from ETA’s elected leader Trends, strategies, and news in the payments business
23 Ad Index 24 Industry Insider 20
Individualized fraud management services propelled Verifi Inc.’s progress. 6
Transaction trends | March 2011 3
Electronic Transactions Association 1101 16th Street NW, Suite 402 Washington, DC 20036 202/828.2635 www.electran.org
ETA Chief Executive Officer Carla Balakgie
Credentialing Comes to Fruition
ETA Director, Communications & PR Thomas Goldsmith Transaction Trends Publishing office: Stratton Publishing & Marketing Inc. 5285 Shawnee Road, Suite 510 Alexandria, VA 22312 703/914.9200 Publisher Debra Stratton Editor Josephine Rossi Contributing Editor Angela Hickman Brady Editorial/Production Assistant Teresa Tobat Art Director Janelle Welch Contributing Writers Kim Fernandez, Jill Miller, Bryan Ochalla, Julie Ritzer Ross, Holli Targan, Sarah Weston Advertising Sales Steve Schwanz or Fox Associates (800/440.0232; firstname.lastname@example.org) Fox Associates Offices Chicago 312/644.3888 Atlanta 800/699.5475 Los Angeles 213/228.1250
New York 212/725.2106 Detroit 248/626.0511 Phoenix 480/538.5021
Editorial Policy: The Electronic Transactions Association, founded in 1990, is a not-for-profit organization representing entities who provide transaction services between merchants and settlement banks and others involved in the electronic transactions industry. Our purpose is to provide leadership in the industry through education, advocacy, and the exchange of information. The magazine acts as a moderator without approving, disapproving, or guaranteeing the validity or accuracy of any data, claim, or opinion appearing under a byline or obtained or quoted from an acknowledged source. The opinions expressed do not necessarily reflect the official view of the Electronic Transactions Association. Also, appearance of advertisements and new product or service information does not constitute an endorsement of products or services featured by the Association. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided and disseminated with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice and other expert assistance are required, the services of a competent professional should be sought. Transaction Trends (ISSN 1939-1595) is the official publication, published monthly, of the Electronic Transactions Association, 1101 16th St. N.W., Suite 402, Washington, DC 20036; 800/695-5509 or 202/828-2635; 202/828-2639 fax. Postage paid at New Richmond, Wisconsin and additional mailing offices. POSTMASTER: Send address changes to the address noted above. Copyright © 2011 The Electronic Transactions Association. All Rights Reserved, including World Rights and Electronic Rights. No part of this publication may be reproduced without permission from the publisher, nor may any part of this publication be reproduced, stored in a retrieval system, or copied by mechanical photocopying, recording, or other means, now or hereafter invented, without permission of the publisher. Nonmembers, government agencies, $150 per year; single copy, $20. Subscriptions are available for 12-month periods only, at the quoted rates.
t’s official. Late last month the ETA formally announced that after two years in the development phase, the Certified Payments Professional™ (CPP) credentialing program will launch later this year. This is an extremely important milestone in the history of our industry. ETA was created, in large part, to address the “checkered” reputation that plagued the merchant acquiring business. Our founders vowed to change things for the better and the CPP program is a giant step toward fulfilling that promise. It will raise the visibility of those in our business who are knowledgeable and capable–and to help make them more successful. To qualify as a CPP, a payments professional will have to meet the program’s eligibility requirements, including a minimum amount professional experience, and take an examination that will test the candidate’s breadth and depth of industry knowledge. A huge amount of work has gone into the CPP program. And from the outset, ETA was determined to do it right.That meant gathering experts from across the industry to define what the examination would test, then subjecting that “body of knowledge” to review by more experts.Then yet another group began writing the actual questions for the CPP exam, a process that (including multiple reviews) is still going on. All of this is being done under the watchful eye of an outside organization that specializes in developing professional certification programs. Why go through all this time and expense? We want those who become Certified Payment Professionals to be proud of their achievement. And for the CPP to be a mark of distinction, something that makes them valuable to their current and future employers. It’s also important for merchants to seek out CPPs, to make doing business with them a part of their decision-making process when setting up a merchant account. And we want the ISOs, the processors, acquiring banks, and card companies—everyone in the business—to recognize the value of employing and partnering with CPPs, because they’ve made this significant commitment to their profession and their careers. And we now can demonstrate to the regulators and legislators who are paying close attention to our business that we have established a standard of professionalism and ethical behavior for our industry. Before 2011 is over, the exams will be finalized, the program rules and procedures will be in place and the first applications will be in the door.You can follow our progress at www.electran.org/CPP. Soon it will be up to you. Do you have what it takes to be a CPP? Sincerely, Rick Pylant Rick Pylant is President of ETA and President & Chairman of COCARD Marketing Group, LLC
Thinking about your end game is where we begin. At First Data, we consider your goals and supply you with the tools you need to fulfill them. So no matter where your career is today, we have a solution to help build your future. We offer four versatile programs to fit your goals: Agent, ISO no-risk, ISO with risk and FSP. And as always, our financial stability and industry leading products and services support your success.
Achieve your goals with First Data. Call 1-800-298-3025 or visit www.firstdatapartners.com/partners
ÂŠ 2011 First Data Corporation. All Rights Reserved.Â
INDuSTRYnews Threat of Mobile Data Breaches Grows As the popularity of social media and mobile devices has risen, so too has the likelihood of an attack against those sites and endpoint devices, according to Trustwave’s 2011 Global Security Report released in January. The rate and sophistication of those attacks also have increased as the latest versions of malware are virtually undetectable by current antivirus scanning software. Mobile devices give criminals easy access to authentication credentials and sensitive data. Now, criminals are using mobile phones to mine geolocation data to launch more targeted, sophisticated attacks against social networks. Notable findings from the report include: n The food and beverage industry accounts for 57 percent of all investigations. n Insecure software code or lax security practices in the management of third-party technology were the cause of 88 percent of breaches. n Sixty-six percent of the investigations found theft of data in transit. n A single organized crime syndicate may be responsible for more than 30 percent of all 2010 data breaches.
Post-Holiday Spending Holds Steady Jan. Transaction CHANGE Growth
Jan. Dollar Volume CHANGE Growth
Note: All transactions are same-store growth. Source: First Data
6 March 2011 | Transaction trends
ETA to Launch Certification Program
ETA will launch the payments industry’s first professional certification program before the end of 2011. The Certified Payments Professional™ (CPP) program will focus on the knowledge and skills required for those involved in the sales and distribution of electronic payments-related products and services to merchants and businesses. “The launch of the CPP program will be an important milestone for the payments industry and for ETA,” says Carla Balakgie, CEO. “We’ve invested significant time and effort to establish the highest level of professional standards through this endeavor. We tapped a wide range of industry experts and certification program specialists to ensure that those who earn the CPP credential are truly qualified to receive the designation.” Program objectives include: • establishing a uniform, defined standard of practice and knowledge for ISOs, sales personnel, and others in the industry • quantifying the expertise and potential performance of those who work in the payments industry • encouraging ethical business practices • enhancing the productivity and reputation of payments companies and the credibility of the industry. In addition to meeting minimum eligibility requirements, candidates also must pass a rigorous examination that assesses their industry knowledge. For more information, visit www.electran.org/CPP.
Fast Fact By 2015, consumers’ use of cash will decline 17 percent, dropping to slightly more than $1 trillion. Source: Aite Group
Some things are just better together.
Introducing TSYS Merchant Solutions
On the heels of a thriving joint venture, TSYS and First National Merchant Solutions (FNMS) are pleased to announce that FNMS will become TSYS Merchant Solutions, now part of the TSYS family of companies. The joint venture’s performance has exceeded our highest expectations, and TSYS’ move to acquire the remaining ownership will further diversify our business. TSYS and FNMS share many similarities — from our corporate cultures to our commitment to providing today’s global merchants with leading payment solutions. The acquisition of the merchant solutions company — a top 10 acquirer in the U.S. — brings TSYS squarely in the middle of where buyers and sellers connect, as a full-service merchant acquirer. Everything that has made FNMS a leader in the acquiring industry — its sage leadership and Omaha-based headquarters — will remain unchanged, but new opportunities abound as we take our business to the next level.
Get to know us. +1.866.625.7112 email@example.com www.tsys.com
© 2011 Total System Services, Inc.® All rights reserved worldwide. TSYS® is a federally registered service mark of Total System Services, Inc.
8 March 2011 | Transaction trends
Driven By Kim Fernandez
LARGE RETAILERS EMBRACE MOBILE PAYMENTS WHILE PHONE COMPANIES AND TECH PROVIDERS CONTINUE TO INNOVATE, BUT INFRASTRUCTURE CHALLENGES REMAIN
KEY NOTES 8 Technology providers expect a boom in technological innovations and demand over the next five to 10 years. But some studies point to a real takeoff in 2012 and $22 billion in mobile POS transactions by 2015.
8 Contactless will soon become a standard feature of any replacement plan. For merchants replacing a terminal now, adding contactless doesn’t cost any more.
8 The current challenge to widespread adoption right now is the lack of infrastructure at the point of sale. Many consumers don’t know mobile payments exist, say some experts.
hevy Chase Supermarket, a 55-year-old family-owned store in Maryland, made headlines in 2006 when it announced it would embrace RFID technology to let customers pay simply by swiping their phones across checkout sensors. Ahead of its time? Perhaps.After all, most cell phone manufacturers have yet to start including RFID chips in devices. At the same time, large chains increasingly are embracing mobile payment technology, and even the smallest stores should do the same within the decade.Younger consumers will demand the service or shop elsewhere. “There is a whole generation of kids for whom cell phones are the mechanism for communicating with family and friends,” says Scott Goldthwaite, vice president of product management for Long Beach, New York-based Planet Payment.“That’s how money will be moved. It won’t be moved by cash, and they’re not going to Western Union. Mobile phones are rapidly replacing that.” PayPal, MasterCard, and Amazon have already rolled out pay-by-phone options. And while consumers haven’t exactly rushed to try it out, technology providers expect a boom in technological innovations and demand over the next five to 10 years. “We’re going to see tremendous widespread adoption in the next five years,” says Paul Sabella, CEO and president, CHARGE Anywhere in South Plainfield, New Jersey. The joint venture between Verizon, AT&T, and T-Mobile will push mobile payments at the point of sale, says Gwenn Bezard, Aite Group research director.“I imagine we’ll see a few phones introduced this year, with more to come in 2012.” Transaction trends | March 2011 9
[ COVER STORY] Once that happens, consumers will start asking to use the capabilities in person, and merchants will have to respond.
Tricky Road Ahead “If you look at the United States in regard to the rest of the world, the United States has the largest share of contactless [cell phone] acceptance,” asserts Bezard.“We have about 150,000 locations that are equipped to use contactless technology.That’s not huge, but it’s a start.” Many merchants will be offered the option to add contactless readers to their payment terminals as they upgrade or replace over the next several years. And because the technology is inexpensive, many will do so without much thought. “It’s going to become a standard feature of any replacement plan,” he says.“It’s getting less and less expensive. If you’re replacing a terminal now, it really doesn’t cost any more to add contactless capabilities.” “POS merchants have been a growing market and will continue to be a growing market,” adds Goldthwaite.“We’ll see a shift in merchants using cell phones, and with more people using Androids and Black Berrys and iPhones, it’ll be more common for people to use a mobile POS device. Cell phones can move faster than stand-alone payments.” iPhone users can already pay each other simply by bumping their phones together. A simple tap of the two devices transfers cash from one owner’s account to the other’s. That, experts say, will expand to POS sales as consumers embrace the technology on an even wider scale. “The challenge with a lot of this is that the infrastructure isn’t there at the point of sale,” says Goldthwaite.“You can’t swipe a phone right now. For the most part, the penetration is quite small when you look at how many merchants have it versus how many don’t use phone payments.There’s a one out of 25 chance you’ll find it at a merchant. So if you’re building whole mobile phone payments around the mobile phone as credit card, the infrastructure isn’t there yet and it’s going to be very difficult.” It’s something major merchants have already discovered. Because more merchants haven’t installed readers, phone manufacturers haven’t installed the proper chips into devices, and consumers have no idea 10 March 2011 | Transaction trends
“Ten years from now, the generation that’s growing up won’t know what a credit card was. They won’t know what a dial tone was. It’ll take that long for the infrastructure to be rebuilt and make sure POS retailers have readers.” —Scott Goldthwaite, Planet Payment the option even exists. “Two years ago, we saw a big buildup of tier-one acceptance,” he says.“That really dropped off. Best Buy turned theirs off. It’s a huge challenge for merchants.” Best Buy embraced Visa contactless payments and installed the system in all of its stores in 2008. But when Visa began demanding more expensive signature rates for the transactions in 2009, Best Buy pushed back, eventually removing the system from its stores.
Surging Forward While the challenges have yet to be resolved, a new generation’s demand for
phone payments will force everyone to negotiate and settle on a workable system. “Consumer mobile payment now is really scratching the surface of what it will be in time,” says Sabella.“Right now, people can do e-commerce on their phones.They can go to a Web site and buy a ticket or load value on a card, but that’s just using the Internet to facilitate a purchase on a phone. We’re starting to see what buying online really is in a mobile environment. “The technology is getting ripe for those kinds of payment systems,” says Sabella, adding that many of the security “wrinkles have been ironed out. So now, it’s a matter of implementation in some cases, and of
figuring out business rules and how commerce will be conducted in respect to the different brands of card issuers.” Bezard says he anticipates more acceptance when merchants realize how much they could do with contactless payments, and consumers figure out that they have the technology at all. “I don’t think people are familiar with it,” he says.“Awareness remains extremely low even though millions of cards have been issued and even though people carry them around. As a contactless chip becomes available, things are going to change.You’ll be able to do a lot more things with the phone, and create a value that wasn’t there before.” That includes improving communication between consumers and merchants, he says. “Merchants will be able to offer coupons that way and bump up the communication between merchant and customer,” he says. “People will consolidate their payment forms, adding gift cards to their mobile wallets. Starbucks is already offering people the option to reload their cards while they’re in line with their phones. That’s a mobile application that provides value
above and beyond what people see now.” And as more merchants introduce similar systems, he says, the possibilities will only grow. “Merchants will be able to communicate better with consumers,” he says.“You’ll be able to push special offers directly to them and then track how they’re using those offers. It’s not so much about the payments themselves, but about tying together payments and coupons. That’s all just emerging.” Bezard cites studies that predict mobile payments will really take off in 2012, and that $22 billion in mobile POS transactions are anticipated by 2015. Sabella agrees, saying the technology will increase both as younger consumers demand it, and as people upgrade their phones at the end of two-year contracts. “I think our kids are more likely to do this in five or 10 years than we are,” he says. “What’s the life cycle of a phone? How fast are phones going to rotate through? Really, what we should be looking at is the phone and the life of a contract, and how many two-year increments are going to cycle through before people have the phones they need to make payments. I think we’re
looking at two to eight cycles.” And demographics will play a key role as well.“I think people in the first generation of this will still want to swipe their credit cards,” he says. “I mean, my father still writes a check when he shops. He stands in the bank and talks to the people in the bank.Younger people don’t go into banks at all. “There is a lot of interest in this, and I think in the next five years, we’ll see a lot of neat things with it,” he says. “Ten years from now, the generation that’s growing up won’t know what a credit card was,” says Goldthwaite. “They won’t know what a dial tone was. It’ll take that long for the infrastructure to be rebuilt and make sure POS retailers have readers.” “The phone will be the only payment mechanism that demographic has,” he says. “If retailers want their business, they’ll upgrade their infrastructure to accept it. It’s the only way those customers will want to pay, and it’s the new mechanism for retailers to invest in.” TT Kim Fernandez is a contributing writer to Transaction Trends. Reach her at firstname.lastname@example.org.
Transaction trends | March 2011 11
By Julie Ritzer Ross
Five strategies to help Level 4 merchants overcome PCI compliance barriers
KEY NOTES 8 Remediation of PCI DSS compliance deficiencies can run upwards of $30,000 or more. And ongoing monitoring, including system scans, adds up to $500 to $2,000 monthly.
8 ISOs have to address and debunk common myths that prevent merchants from addressing PCI compliance—such as the myth that only large retailers are affected.
8 Communicate with merchants on a regular basis about data security and compliance, experts say. E-mail, direct mail, and, most importantly, phone calls are all essential education tools. “Be in their face about it,” says someone who knows.
8 ISOs must position PCI compliance as a critical component of an overall comprehensive security strategy.
12 March 2011 | Transaction trends
ompliance with the Payment Card Industry Data Security Standards (PCI DSS) continues to be a problem for small- and medium-size (Level 4) merchants. Only 29 percent of small business owners are truly aware of the PCI compliance standards and only 11 percent are actually in compliance, according to a recent poll by the Payment Card Industry Security Standards Council. Meanwhile, statistics released by Visa USA indicate that more than 80 percent of the association’s noncompliance issues originated with Level 4 merchants. Sticker shock may indeed be a culprit here: Sources report that while completion of the PCI DSS Self-Assessment Questionnaire (SAQ) doesn’t amount to much, even if a Qualified Security Assessor (QSA) is commissioned to assist with the process, remediation of deficiencies (including technology implementation) can run upwards of $30,000 or more. And ongoing monitoring, including system scans, adds up to $500 to $2,000 monthly. Other factors, ranging from erroneous assumptions to a lack of knowledge of what PCI is truly about, also come into play, but
there are steps ISOs can take to nudge merchants onto the compliance path.
Explain the financial consequences of noncompliance. Small- and medium-size merchants are less likely to balk at PCI-related expenditures when ISOs share in detail the cost of ignoring the mandates, says Tim Horton, vice president, product family manager,TransArmor and security services, at Atlanta-based First Data Corp. “The more explicit the information, the more attractive an investment in compliance becomes.” Point out that the “meter” starts to tick not when a data breach actually occurs, but at the moment a merchant is even suspected of having experienced one. Depending on the complexity of systems involved, a mandatory forensic investigation by PCI DSS-certified security examiners can bring a business to a halt for several days to several weeks, impeding sales, profitability, and productivity. Merchants must cover the cost of such an examination, no matter what its outcome. Sources peg the investigation tab for a Level 4 merchant at $8,000 to $20,000, based on the breadth of the procedures performed and
[ FEATURE] the particular systems evaluated. Moreover, should examiners discover that a breach has indeed occurred, the affected merchant will shoulder additional expenses, including $3 to $10 per replacement card; $5,000 to $50,000 or more in compliance fines; and other fines levied for actual fraudulent use of compromised card numbers. “Merchants need to understand that noncompliance expenditures are significant enough to ruin a small business very fast,” especially given that “these numbers do not take into account potential public relations damage and lawsuits,” asserts Mike Meikle, CISSP, CEO of the Hawkthorne Group, a boutique management and technology consulting firm headquartered in Richmond,Virginia. In discussing the financial perils of noncompliance, Meikle adds, ISOs might explain to merchants that adherence with the mandates “provides a ‘safe harbor’ from many of the fines or penalties levied, as long as the firm breached was PCI compliant at the time of the incident.” ISOs should equate the “reverse image of ‘safe harbor’ with the ‘death penalty,’” because if a merchant is discovered to have been grossly negligent in its security practices, it can be permanently banned from accepting credit cards, Meikle advises.
Address and debunk common myths that also prevent many merchants from addressing PCI compliance head-on. These include: • “Data breaches only affect larger retailers.” Quite the opposite is true. Level 4 merchants outnumber their Level 1, Level 2, and even Level 3 counterparts, rendering them a more frequent target of cardholder data compromise. Anecdotal evidence from Visa lends credence here.The association continues to identify small merchants as the group most commonly victimized by hackers, according to Jennifer Fischer, senior business leader, payment system security compliance. And smaller merchants’ general lack of technology savvy only increases their appeal to perpetrators of data breaches, experts assert. • “One data breach won’t have a lasting effect on the business.”Nothing could be farther from the truth. Contrary to what 14 March 2011 | Transaction trends
“Communicate with merchants on a regular basis about data security and compliance. You may have to be in their face about it. The myth that PCI compliance is voluntary is a big hurdle to get over. “ —Ron Schmittling, Brown Smith Wallace
many smaller merchants may assume, a Level 4 merchant need suffer only one confirmed security breach before being forced to meet Level 1 compliance standards. In the Level 1 category, the cost of achieving and maintaining compliance, as well as fines for security breaches, can total millions of dollars. • “Our low transaction volume doesn’t warrant compliance.” No merchant can make this claim, unless it doesn’t accept credit cards at all. Processing even a single credit card transaction each year puts retailers and other entities within the scope of PCI compliance, notes Ed Moyle, co-founder and partner of Security Curve, an Amherst, New Hampshire-based information security services company. • “Using a third-party processor constitutes an automatic exemption from PCI compliance mandates.”Admittedly, partnering with a third-party processor may decrease merchants’ exposure to risk, in turn simplifying efforts to validate compliance, but it doesn’t otherwise exempt them from PCI DSS compliance requirements. • “Utilizing PCI-compliant technology at the physical point of sale and/or PCIcompliant shopping carts and payment gateways online yields PCI compliance by default.” While this may be the case, merchants must be reminded that PCI guidelines also dictate implementing measures to ensure the physical security of networks and payment technology as well as the maintenance of written security policies, observes Derek Tumulak, vice president, product management,
at SafeNet, a Belcamp, Maryland-based vendor of network security and encryption products.“Although it is critical that terminals, gateways, shopping carts, and the like be PCI compliant, compliance as a whole doesn’t stop there,” Tumulak says.“The documentation piece is just as important.”
Educate, educate, and educate some more. Merchants’ view of PCI compliance as a “scary, very technical” matter, coupled with their lack of understanding about “what happens to payment data after a transaction is completed,” is as much an impediment to jumping on the bandwagon as sticker shock, misconceptions, and other factors, insists Ron Schmittling, principal, security and privacy, at St. Louis, Missouribased financial services and business consulting firm Brown Smith Wallace LLC. To best overcome these obstacles, Schmittling suggests ISOs launch multifaceted educational campaigns that may include e-mail messages, direct-mail pieces, and phone calls to merchants about data security regulations. “Communicate with merchants on a regular basis about data security and compliance,” he emphasizes. “You may have to be in their face about it. The myth that PCI compliance is voluntary is a big hurdle to get over. “ In Schmittling’s experience, e-mail and direct mail should represent a portion of ISOs’ merchant communication endeavors, but the bulk of education is best delivered by telephone and will likely be more effective at increasing compliance rates among small merchants. “Many small merchants believe the PCI requirements are highly technical,” he says. “When they see an email, they get scared and think the topic is too complex. However, when the phone rings, they tend to feel they can manage the conversation. If you send a merchant a letter or e-mail, it is a passive contact that he or she can set aside. On the telephone, it’s not so easy.”
Avoid the technology “hard sell.” Whether in the course of educating merchants about PCI mandates in general, or not, some ISOs tend to make the mistake of aggressively touting technology. This
PCI Compliance FAQ Use this cheat sheet to educate Level 4 merchants in your company’s portfolio
What is the Payment Card Industry Data Security Standard (PCI DSS), and what type of merchants must comply with it?
A: Administered and managed by the Payment Card Industry
What is an Approved Scanning Vendor (ASV)?
A: Approved Scanning Vendors are organizations that validate adherence to certain PCI DSS requirements by perform-
Security Standards Council, PCI DSS is a set of mandates
ing vulnerability scans of Internet-facing environments of
intended to ensure all entities that process, secure, or transmit
merchants and service providers.
credit card information maintain secure environments for such data. No company with a Merchant ID (MID)—even one that only handles credit card information via telephone—is exempt from it.
What basic steps can smaller merchants take to address data security, without incurring major expenditures?
A: They should take these steps: n Use PCI-compliant technology. n Secure cardholder transactions, encrypting all cardholder
data during transmission. n Conduct regular Web application and vulnerability scans.
If your organization has Internet-facing IP addresses, conduct scans regularly to identify and address any critical vulnerabilities. n Avoid electronic storage of credit card data, unless you
have a compelling business reason to do so. n Allow sensitive customer information to be accessed only
by those employees whose position warrants.
What is a Qualified Security Assessor (QSA)?
A: A Qualified Security Assessor is an organization that that has been qualified by the PCI Security Standards Council. QSAs have been certified by the Council to validate an entity’s adherence to the PCI DSS.
Where can I find more information and updates?
A: Check out these Web sites. n PCI Security Standards
n PCI Knowledge Base
n PCI Self-Assessment Questionnaire
n PIN Entry Devices
n Payment Application Data Security Standard
What must Level 4 merchants do to become PCI compliant?
A: The minimum requirement for a Level 4 merchant is to complete a PCI DSS Self-Assessment Questionnaire (SAQ) on an annual basis, achieve a passing score, and remediate any areas of “failure.” Merchants that electronically store cardholder information and/or utilize transaction processing systems with any Internet connectivity whatsoever must arrange for quarterly scans by an Approved Scanning Vendor (ASV).
n Visa (Risk Management)
n American Express (Merchants)
n List of Qualified Security Assessors (QSAs)
n List of Approved Scanning Vendors (ASVs)
Transaction trends | March 2011 15
[ FEATURE] does little more than scare them off, says Tim Cranny, PhD, CEO of Panoptic Security, a Salt Lake City-based provider of online PCI compliance solutions. Discussing, in detail, how individual solutions address different security vulnerabilities, and proposing various alternatives (such as removing transaction data from the scope of PCI using technology as a linchpin) is a far more effective approach, Cranny says, noting that Panoptic and many other vendors partner with ISOs and resellers to share with them the information needed to position technology in this fashion. “For the most part,” proposing solutions that remove data from the scope of PCI “has been overwhelmingly successful,” says Shawn Chaput, lead QSA with Vancouver, British Columbia-based Qualified Security Assessor Privity Systems Inc.“If, for instance, the magnetic stripe reader encrypted the credit card data immediately and never let connected points of sale obtain PAN, the compliance burden can be reduced. The same is true if card readers are fully managed devices that aren’t connected to a point-of-sale system at all, with the ISO returning transaction data to (or otherwise interacting with) the system over the network
16 March 2011 | Transaction trends
to ensure adequate segmentation and allow appropriate transaction reconciliation.” In outlining the manner in which various technologies address PCI compliance issues, don’t forget to let merchants know exactly what makes the solutions themselves compliant.“Merchants look at this as guidance and not a hard sell so they listen more,” insists Mark Baumann, compliance and information security director at 3i Infotech, a global IT provider with U.S. offices in Edison, New Jersey. Worth noting as well is how the deployment of certain solutions down the road may temporarily increase PCI compliance-related expenditures, yet generate savings later on. “Version 2.0 of the PCI DSS, released in October 2010, made only minor changes to the electronic transactions business,” says Jonathan Lampe, vice president, product management, at Ipswitch, a network and file transfer management solutions vendor in Lexington, Massachusetts. “However, more changes are around the corner when the Payment Card Industry Security Standards Council issues recommendations on tokenization of individual credit card fields and point-to-point
encryption. This may force a complete technology refresh across the industry, but will also offer enormous cost savings because the technologies promise to reduce both the scope of PCI compliance and the chance for accidental data exposure during transmission.”
Position PCI compliance as part of an overall security solution. For many merchants, the perception of PCI compliance as a component of a strategy for protecting far more than credit card data is the tipping point for acceptance. “We advise our MSPs to explain to their existing customers that data security as a whole is becoming increasingly complex, and that they have many assets—from human resources records, to proprietary material—to protect,” notes Michelle Wagner, senior vice president, global marketing, for Atlanta-based Elavon. “Then they can go into the ‘whys’ and ‘wherefores’ of all types of security. It sets the acceptance bar higher.” TT Julie Ritzer Ross is a contributing writer to Transaction Trends. Reach her at email@example.com.
First American Payment Systems
Consistent Growth Mode Proprietary products and services define First American Payment Systems’ market niche, resulting in year-over-year growth since 1990 By Julie Ritzer Ross
n today’s competitive electronic payments space, many ISOs/MSPs differentiate themselves from their competitors through the sales programs, products, and services they promote. But Fort Worth,Texas-based First American Payment Systems bills itself as one of the few merchant acquirers that owns every product and service it makes available to the merchant community. This, along with the company’s strong ISO/acquirer offering and emphasis on diversification in terms of sales and markets served, has placed the ISO/MSP among the top privately owned merchant acquirers in the United States.The company has seen consistent yearover-year growth since its inception in 1990, maintains a portfolio of 118,281 merchant clients, and, as of late last year, was projecting a transaction processing volume of $10.8 billion in 2010. First American Payment Systems was founded by industry veteran Neil Randel, who now serves as chairman/CEO, with a vision of offering terminals and credit card payment solutions, as well as other payment solutions and services.“There was nothing like that out there at the time, and the goal was to provide it while also using proprietary methods to support partners,” says Kevin Jones, former vice president, sales and marketing. The business was built on a varied roster of in-house products, services, and infrastructure. Managers believed this approach would attract merchants and partners not only by providing a one-stop shop for electronic payment needs, but by ensuring a consistently high caliber of “menu items” for customers and sales personnel. The ISO/MSP’s credit card processing “franchise” spans a multitude of merchant categories and structures, including retail, retail with tips, restaurants, lodging, e-commerce, MOTO, and auto rental. Debit card and EBT acceptance solutions are available, as are check acceptance services (both conversion and verification, with
First American Payment Systems Fort Worth, TX Size of Portfolio: 118,281 merchants Annual Transaction Volume: $10.8 billion
or without guarantee), e-commerce solutions (QuickBooks plugins, an Internet payment gateway, a “MOTO virtual terminal,” and batch upload), gift/loyalty cards, online reporting, ACH processing, equipment leasing, remote deposit capture, and ATMs. Solutions are branded as FirstPay.Net, FirstView, Secur-Chex, Merimac Capital, FirstFund ACH, and FirstAdvantage, among others. POS equipment is also available for purchase.
Diversifying Sales Models A multifaceted sales and sales support model has been equally instrumental in fostering First American Payment Systems’ growth.The model incorporates more than 175 active ISOs and agents—“the root of the company,” says Jones.The model also includes a direct sales force and a cadre of value-added reseller (VAR) and other distribution partners. All ISOs and agents receive comprehensive, customized training Transaction trends | March 2011 17
First American Payment Systems
from a full-time, in-house training specialist with 27 years of experience in the electronic payments industry. “The training program consists of 18 distinct modules,” Jones explains. “Based on (the breadth of) partners’ own experience, we design and tweak the training using these modules. We then certify them as Bronze, Silver, or Gold,” depending upon their level of participation in First American Payment Systems’ program. To ensure consistency of procedures and service to merchants, in-person, video, and webinar education is provided to any new sales personnel hired by ISOs and agent organizations after they have signed on with First American Payment Systems. After the training, partners get 90 days of complimentary analysis of new employees’ sales performance, with continuing education and ongoing consulting services. All ISOs and agents also work with a client relations consultant who helps them formulate, refine, and execute business plans. ISOs and agents can also consult with members of several First American Payment Systems teams for assistance in streamlining the merchant boarding process and increasing the potential for merchant retention. Other “perks” for partners in this category include online reporting, free income forecasting tools, strategic portfolio advice and analysis, and marketing assistance. Capital infusions for business expansion are often available, with decisions to allocate funds formulated on a case-by-case basis. In addition, nonregistered ISOs can take advantage of prebuilt Web sites provided by the acquirer. Partners may provide an image, company-specific information, and their own URLs.“Web sites are a necessity in today’s corporate environment,” Jones says.“Not only do they help to validate a company, they offer pertinent information
Startup Strategies Kevin Jones’ advice for newbie ISOs: nD on’t lose focus. Set a strategic sales vision early on, and don’t be distracted by “flashy” products. Several promising startups have failed in the past 10 years because constant changes of direction caused them to deviate from executing their original plan. n T ake it one step at a time. After devising a business plan, “block and tackle” daily until you reach each objective and it’s really time to take the next step. nC hoose partners wisely. Market volatility, emerging PCI compliance regulations, new IRS reporting obligations, and the influence of American Express and Discover on business practices mean that startups have to exercise due diligence in choosing partners. Commit to fulfilling related responsibilities in-house from day one, or find a trustworthy partner to manage these obligations well so you can focus almost exclusively on sales and marketing.
18 March 2011 | Transaction trends
The leaders at First American have a rich background in payment processing and have ensured continued growth of the company by making conservative, yet dynamic decisions. L to R: Rick Rizenbergs, executive vice president of sales and marketing; Debra A. Bradford, president and CFO; Neil Randel, chairman of the board and CEO; Mike Lawrence, executive vice president and CIO; and Brian Dorchester, senior vice president of operations
and often lead to meaningful business relationships.” To attract sales executives and serve merchants that want local support, the company has also built a direct sales force of approximately 200 sales executives in 25 brick-and-mortar offices around the United States. A lead generation call center supports an additional 400 sales executives on the acquirer’s staff.“This operation is beneficial to those sales executives who prefer a support structure that includes being provided with warm leads daily and having access to a sales leader who remains available to assist them in meeting any needs merchants may have,” Jones asserts. While in-house sales staff are trained in much the same fashion as ISOs and agents,VARs and other distribution partners assigned to handle First American Payment Systems’ proprietary gateway, government, and not-for-profit business channels are given complete autonomy in getting the job done.“These are dynamic technology firms that have proven to be industry leaders,” Jones notes.“[Unlike us,] they have a laser focus on their area of expertise, so they can continue to drive cuttingedge benefits to merchants in their verticals.”
Entering New Verticals Over the past seven years, diversification into vertical markets—including health care, government/utilities, not-for-profit, direct sales, and what Jones deems “virtual terminal/gateway” (e-commerce)— has enabled First American Payment Systems to successfully weather recessionary conditions and industry-wide margin compression. Most diversification initiatives stem from the acquisition of existing entities; for example, movement into the direct sales arena occurred when First American Payment Systems acquired Eliot Management
Group of Salt Lake City. Acquiring GoEmerchant Services of Cherry Hill, New Jersey, led to First American Payment Systems’ foray into e-commerce by adding virtual terminal and mobile payment solutions, a Web payment gateway, shopping cart functionality, and a QuickBooks accounting plug-in. Bringing on Govolution, an Arlington, Virginia-based company, yielded entrée into the government sector, and the purchase of iATS, a Vancouver, British Columbia, company that provides donation processing for nonprofit organizations in the United States and Canada, brought expansion into the not-for-profit arena. Some of the acquisitions were First American Payment Systems’ ISO partners.“This has always been a part of our [diversification and growth] strategy,” says Jones.“When we can build a strong relationship with a partner and it wants to exit, it’s natural for us to fold the organization into ours. Just as significantly, we [prefer] that these organizations did not start as departments within First American Payment Systems, but as separate companies that were and are focused and passionate about a [particular market niche]. As such, they have driven best-in-class products and technology that enhance our offering tremendously.These organizations still maintain autonomy today.”
Pushing POS and Value-Added The company’s next move is to expand into the POS side. GoEmerchant recently released a version of its mTerminal that lets merchants accept credit card and ACH payments on Apple iPhone and iPod Touch devices. When LET US PROFILE Transaction Trends YOUR ISO spoke with Jones in Is your company a successful late 2010, the MSP was in the midst of fiISO? Let us tell your story. E-mail nalizing a partnership firstname.lastname@example.org agreement with a POS for more information. equipment vendor. That relationship will enable First American Payment Systems to offer a “best-in-class” electronic cash register/computerized POS system. Also in the works is a retailenabled mobile POS solution. First American Payment Systems is also exploring additional value-added programs, such as options for charitable giving. Other possibilities will be considered down the road, but not without careful evaluation.“We are always evolving,” Jones says. “In our business, change is a constant. It is imperative to build an organization that is adaptable and can judge the difference between a flashy product that will never take off and one that could change our industry. Presently, we believe that having an organized e-commerce strategy that encompasses a diverse set of tools is important—but we wouldn’t move ahead in this area if we didn’t. It’s all about the right solution.” TT Julie Ritzer Ross is a contributing writer to Transaction Trends. Reach her at email@example.com. Transaction trends | March 2011 19
Let’s Go to
San Diego ANNUAL EVENT PLANNED FOR MAY 9-12 WITH GREAT SESSIONS, A FULL EXHIBIT HALL, AND PLENTY OF NETWORKING OPTIONS
f it’s been said once, it’s been said 1,000 times: The electronic transactions business is all about connecting. Any encounter you have at the ETA Annual Meeting & Expo can turn into a business deal that could seal your company’s success. It’s the one meeting you can’t afford to miss. Whether you’re enjoying a golf outing with old friends and potential new partners, listening to a dynamic keynote address, or sitting down with a vendor on the Expo floor, you’re gathering information and striking relationships that could pay off big time for your business. The ETA meeting is the one-stop conference that will connect you with the information, opportunity, and people you need for success. The 2011 ETA Annual Meeting & Expo is where merchant acquirers, financial institutions, processors, alternative payment providers, value-added resellers, prepaid companies, and merchant sales teams come together for the most diverse and comprehensive show in the payment industry. “Everyone knows that the ETA Annual Meeting & Expo is a must-go event for many reasons. All the players in the industry are there in one place at one time, so you can see who you need to see in order to move your business goals along and help others meet their goals,” says Tony Abruzzio, VP, global merchant card services and banking, Recombo Inc.“The key manufacturers and VARs are there with plenty of resources and they are exhibiting their newest products. ETA allows me to do in a few days that which normally could take many months.” ■ Education: Each year, ETA offers an impressive lineup of speakers and sessions designed to help you identify new opportunities, predict trends, and get ready
20 March 2011 | Transaction trends
REGISTER NOW Visit www.electran.org
■ Networking: ETA always includes a wide array of special networking events, including a highly popular and competitive golf tournament, a well-attended opening night celebration, a star-studded President’s Dinner, and, special this year, the ETA “Party on the Harbor.” But some of the best networking opportunities can happen anywhere.
Tuesday, May 10
■ Exhibits: More than 180 exhibitors will demonstrate their products and services and fill you in on how their businesses can help yours. Exhibitors will tell you: Deals get done here. Don’t miss out on what could be the next big thing.
8am-12pm 8am-5pm 8am-5pm 8am-5pm 9am-12pm 9am-12pm 1-4pm 1-4pm 4:30-5:30pm 5:30-7:30pm 6:30-7:30pm 7:30-10pm
Golf Tournament Compliance Day Prepaid Day Investment Community Forum ETAU—Introduction to Sales and Marketing ETAU—Data Security Essentials ETAU—Introduction to Technology ETAU—Sales Channel Development Welcome Reception for New Members, First-Time and International Attendees Opening Reception in Exhibit Hall Technology Product Showcase President’s Dinner: ETA Star Awards and Volunteer Recognition
Wednesday, May 11
contacts at the ETA Annual Meeting & Expo than any other single industry gathering, and I have closed more business than at any other time during the year.”
Schedule AT-A-GLANCE 9am-12pm ETAU—Introduction to Electronic Processing 9am-12pm ETAU—Acquiring Payments Risk/Fraud Management: Tactics & Trends 1-4pm ETAU—Introduction to Operations 1-4pm ETAU—PCI Compliance for the Small (Level 4) Merchant
10:30am-6pm 10:30-11:30am 11:45am-12:45pm 11:45am-12:45pm 1:30-2:30pm 1:30-2:30pm 2:45-3:45pm 2:45-3:45pm 4-5:00pm 4-5:00pm 5-6:00pm 6-9:00pm
Exhibit Hall open The Brave New World of Government Regulation Regulatory Update, Part 1: Interchange Merchant Acquiring 2015: A Look Toward the Future Regulatory Update, Part 2: Market Landscape Navigating the Wonderful World of PCI/Fraud The Challenges of PCI Compliance Going Global: Guidelines to Navigate the International Marketplace Mobile Payments: Leveraging the Opportunity e-Commerce Processing: Current Opportunities, Trends, and Challenges Happy Hour ETA/Discover Party on the Harbor
Thursday, May 12
for coming challenges. The 2011 meeting is no exception. You’ll hear from industry leaders who will discuss the changing regulatory environment, the challenges of merchant compliance, combating fraud and its innovative perpetrators, global opportunities, and so much more. “It’s really the best single source to keep up with what’s going on in the industry, conduct market research, and learn about new products and players in the marketplace,” says Mary Wining“I have made more ham of Mirror Consulting.
Monday, May 9
Visit www.electran.org to register. Rates are $745 for members and $1,145 for nonmembers. Check the Web site for group and single-day rates. Special fees apply to certain activities and events, including ETA University (ETAU) sessions, Compliance Day, Prepaid Day, Investment Forum, and special outings. Hotel reservations are available at the Hilton San Diego Bayfront (headquarters hotel) for $225/night. Visit www. hiltonsandiegobayfront.com. For other hotels, go to the ETA Web site. For additional information about registration, e-mail firstname.lastname@example.org or call 866.ETA.MEET.
9am-10pm 9:30-10:30am 9:30-10:30am 10:45-11:45am 10:45-11:45am 12-1:00pm 12-1:00pm
Exhibit Hall open Tweets, Posts, and Networking: Social Media in Payments How to Build a Successful Sales Program New Revenue Opportunities TBD ETA: Your “Go-To” Resource for the Payments Industry EMV Chip—A Global Update
—John Wiegand, Merchant Capital Access
Don’t miss out on the one conference you have to attend this year.Visit www.electran.org to register today. TT
Just Announced: Sen. Chris Dodd to Keynote Former U.S. Senator Christopher Dodd will be the keynote speaker at the Wednesday general session. Dodd is best known in the electronic payments industry for the Dodd-Frank Act, the law that was the vehicle for the Durbin amendment on debit card fees and created the Consumer Financial Protection Bureau. But he also helped write the Sarbanes-Oxley Act, which strengthened accounting and management standards for publicly held companies and many other significant pieces of legislation, especially regarding children’s issues, civil rights, voting rights, and privacy protection, including financial data security issues. He is a veteran of the Peace Corps, and ran for President in 2007-08. In San Diego, Dodd will discuss the rationale behind the Dodd-Frank legislation, prospects for changes to parts of the law, and what the payments industry can expect next from the current Senate and Congress—and field questions from the audience.
Transaction trends | March 2011 21
Debit Interchange Proposed Regulation Dissected By Holli Targan, Jill Miller, and Sarah Weston
ere we are, on a new path. Never before has the Federal government regulated the industry so directly. Never has a governmental agency picked apart how the payment system works. Never has the government mandated operational aspects of card processing.The Durbin Amendment, and the regulation proposed by the Federal Reserve Board, do all that. Set forth below is a summary of the 177 page proposal published by the Board. Enacted in July, 2010, the Dodd-Frank law requires the Federal Reserve Board (Board, or FRB) to issue regulations implementing the statute.To draft the regulations, the FRB met with industry constituencies and gathered information through surveys of payment system participants. For the first time in history, the Board held a webcast of the meeting at which the proposed regulations were released.The proposal requests comment on them, which the Board will consider before promulgating final regulations. The proposal, published on Dec. 17, 2010, does three things. First, it establishes standards for determining whether a debit card interchange fee received or charged by an issuer is reasonable and proportional to the cost incurred by the issuer. Second, it prohibits issuers and networks
from restricting the number of networks over which a debit transaction may be processed. And third, it prohibits issuers and networks from inhibiting the ability of a merchant to direct routing of a debit transaction. The law requires the Board to publish final regulations by April 21, 2011, to be effective by July 21, 2011.
Scope The first order of business is to clarify what the proposed regulation will cover. It is debit, and generally not credit, cards that are subject to the law. But letâ€™s be clear: this means both PIN debit and signature debit cards. Debit cards subject to the Act are more than just cardsâ€”they include other payment codes, such as an account number, issued through a payment card network to debit an account. General-use prepaid cards, known as network branded prepaid cards, are included in the definition of debit cards as are decoupled debit cards (cards where the issuer is not the institution that holds the underlying account being debited) and deferred debit cards. Specifically excluded from the definition of a debit card are gift cards that can be used only at a limited number of merchants, checks, and ACH payments. There are two categories of transactions
that, although technically covered by the law, the Board does not quite know how to handle: ATM transactions and closed loop card transactions. The proposed rule covers debit card transactions that debit an account. And technically, since ATM cards are used to debit an account, ATM transactions are covered by the law.The Board recognizes the difficulties in applying the law to ATM transactions, and therefore has not decided whether ATM transactions should be included in the final regulation. Note that even if ATM transactions are covered in the final rule the interchange fee restrictions would not apply to ATM networks, although the network-exclusivity prohibition and routing provisions, discussed below, would. Just like ATM transactions, closed loop transactions are technically covered by the law. Again, the Board had a difficult time trying to apply the language in the law to closed loop systems. So the proposal asks for comments on whether closed loop transactions should be included within the final regulation.
Reasonable and Proportional Interchange Fees The law requires that the Board set standards for determining the amount issuers Transaction trends | March 2011 23
[ FEATURE] may receive or charge for a debit transaction, mandating that the fees must be “reasonable and proportional to the cost incurred by the issuer with respect to a particular transaction.” In determining if a fee is reasonable and proportional, the law directs the Board to distinguish between incremental costs incurred by issuers in the authorization, clearing and settlement of debit transactions, and other costs which are not specific to authorization, clearing and settlement. By law, the interchange fee restrictions do not apply to three broad categories: cards issued by institutions with less than $10 billion in assets; transactions using cards under government-administered programs; and reloadable, general use prepaid cards not marketed or labeled as gift cards. So what is the “interchange transaction fee”? This is defined in the proposal as any fee established, charged or received by a payment card network for the purpose of compensating an issuer for its involvement in a debit card transaction.
Alternatives Not settled is a method for determining whether an interchange fee is “reasonable and proportional.”The proposed rule gives two suggestions.Alternative 1 permits each issuer to determine the maximum fee it may receive for a debit transaction by calculating its variable costs.The Board stated that the only costs it should consider in determining allowable costs are those that specifically relate to authorization, clearing and settlement. Allowable costs do not include those that are not specific to a particular transaction or that are not incurred for authorization, clearing and settlement. This alternative states that an issuer may not receive more than $0.12 per debit transaction. It also provides a “safe harbor” of $0.07 per transaction for issuers that do not want to calculate their specific allowable costs. This means that if an issuer decided not to calculate its costs, it could receive $0.07 per transaction, and still comply with the law. Alternative 2 has the same $0.12 cent per transaction cap but eliminates the requirement that each issuer calculate its costs. Under Alternative 2, any interchange fee at or below $0.12 would be permitted. Implementation of this method places less 24 March 2011 | Transaction trends
What is the “interchange transaction fee”? This is defined in the proposal as any fee established, charged, or received by a payment card network for the purpose of compensating an issuer for its involvement in a debit card transaction. administrative burden on industry participants because each issuer would not be required to compute its allowable costs. How did they arrive at those numbers? The Board used the survey responses which indicated that the median per-transaction total processing cost was $0.13 for all types of debit and prepaid card transactions; the 50th percentile of estimated per-transaction variable costs was approximately $0.07.The cap of $0.12 was selected because it significantly reduces the current interchange fees charged and it allows for recovery of per-transaction costs for approximately 80 percent of covered issuers. The Board set forth two other potential methods for implementing the interchange fee standards. Under the first approach an issuer could receive varying interchange fees as long as the average for all its transactions was at or below the standard set by the Board. Under the second approach an issuer would comply as long as, on average, over a specified period, all covered issuers on a particular network meet the fee standard, taking into account all of that network’s mix of transactions. In other words, compliance would be evaluated at the network level, as opposed to at the individual issuer level. The proposed rule contains a general prohibition against circumventing the interchange fee restrictions, and specifically prohibits issuers from receiving “net compensation” from networks. Net compensation means the total amount of compensation provided by the network to the issuer, such as per-transaction rebates and incentives, that exceed the total amount of fees paid by the issuer to the network.The proposal discusses whether increases in fees charged by a network to acquirers should be considered circumvention of the fee
restrictions. For example, a network could increase switch fees charged to acquirers to offset the decrease in interchange fee income.The Board believes that such action would not necessarily indicate circumvention because issuers would not be permitted to receive net compensation from the network.
Fraud Prevention Adjustment The law allows an adjustment to the interchange restrictions if the adjustment is reasonably necessary to make an allowance for costs incurred by the issuer in preventing fraud, and the issuer complies with fraud prevention standards established by the Board. The proposal does not specify provisions to implement this adjustment, which will be in addition to interchange. Instead, the Board set forth two approaches regarding the fraud prevention adjustment. The first approach, the technology specific approach, would allow issuers to recover costs incurred for implementing major innovations that would likely result in substantial reductions in fraud losses. The rule would establish specific technologies that an issuer must employ to be eligible to receive the adjustment.The second, or nonprescriptive approach, would not prescribe specific technologies but would require issuers to take steps necessary to maintain an effective fraud prevention program. There are several pages of questions requesting comments on the fraud adjustment. For example:What type of technologies should be considered if the board adopts the technology specific approach? Should a cap and safe harbor be used? We expect to see another round of proposed regulations and comment period regarding the fraud adjustment.
[ FEATURE] Limits on Payment Card Restrictions The second major subject of the law relates to limits on payment card restrictions. Note that the statutory exemptions for small issuers, government administered cards and reloadable prepaid apply only to the fee restrictions, and not this. So the below network exclusivity and merchant routing restrictions apply to those, as well as to all PIN and signature debit transactions. By the way, there are two clauses in the law that the proposal states are self-executing and not subject to Board’s rulemaking authority, so the proposal does not discuss these.The first is that the networks cannot prevent merchants from offering discounts based on method of payment tendered. In other words, discounts for payment cannot be prohibited. The second is that the network rules cannot prevent merchants from setting minimum or maximum transaction amounts on credit card transactions.
Network Exclusivity The law prohibits an issuer or network from restricting the number of networks on which a debit transaction may be processed to fewer than two unaffiliated networks. So, by law, every debit transaction has to be able to be processed on two unaffiliated networks. Easy to say, difficult to implement. The proposal requests comment on alternative approaches for determining whether there are at least two unaffiliated networks available to carry a transaction. Under Alternative A, every card must have at least two unaffiliated networks available for processing a debit transaction, no matter the authorization method. Under Alternative B, every card must have at least two unaffiliated payment card networks available for each authorization method. An issuer could comply with Alternative A by offering on each card one signature network and one unaffiliated PIN network, or having two unaffiliated signature networks or two unaffiliated PIN networks. The advantage of this alternative is that it would avoid significant compliance costs and will be less likely to necessitate major changes to existing infrastructure. The drawback is that only two of the 8 million merchants are capable of accepting PIN, and PIN is not available for certain merchant categories or types of transactions. 26 March 2011 | Transaction trends
So if a card had one PIN and one signature network, that card effectively can only be processed over one network, which defeats the merchant routing choice mandated by the law. Under Alternative B, a card must have at least two unaffiliated payment card networks available for each authorization method. So issuers would comply by having two PIN networks and two signature networks on each card. The advantage is that this would facilitate the merchant routing choice. But it would require major changes to network and processor infrastructure, as currently the systems cannot handle multiple signature networks on the same card. The Board recognizes that enabling multiple signature networks may not be feasible in the short term because it would require replacement or reprogramming of millions of merchant terminals and changes to software for networks, issuers,
process the transaction. This will involve a major shift in the industry, as currently routing choice is determined by issuers.The proposal sets forth practices that would inhibit a merchant’s ability to route. In particular, networks cannot: 1) prohibit steering, 2) require that the transaction be routed over a specific network, or 3) require a particular method of authorization based on the access device provided by the cardholder. The Board recognized that real time merchant routing decision making is not feasible, and advocates routing decisions determined in advance and set between the merchant and the acquirer for all of that merchant’s debit transactions. Two different proposed effective dates for network exclusivity and routing are suggested, depending on the alternative selected: Oct. 1, 2011 for Alternative A and Jan. 1, 2013 for Alternative B because multiple signature networks will be required
Debit cards subject to the Act are more than just cards—they include other payment codes, such as an account number, issued through a payment card network to debit an account. acquirers and processors to support multiple signature networks. Not acceptable under either alternative are networks with limited geographic scope, such as regional networks, nor networks accepted at limited category of merchants, like a supermarket chain. Note that if two networks on a card merge, the card would no longer be compliant and an unaffiliated network must be added within 90 days.
Merchant Routing Restrictions The law requires regulations to prohibit an issuer or network from directly or indirectly inhibiting a merchant’s ability to route debit transactions through any network that may
for each card, and they recognize it will take time to get the systems in place. That, in a nutshell, is how the FRB proposes to implement the Durbin Amendment. Absent a change to the law, final regulations should be published by April 21, 2011. Stay tuned. TT Holli Targan, Jill Miller, and Sarah Weston are attorneys at Jaffe, Raitt, Heuer & Weiss, P.C., concentrating their practices on payment systems compliance, contract, and merger and acquisition law. You may reach them at www.jaffelaw.com, or 248/351.3000.
Editor’s Note: Former U.S. Senator Christopher Dodd will be the keynote speaker at the 2011 ETA Annual Meeting and Expo. He will be answering questions about the Durbin amendment and other aspects of the Dodd-Frank Act. For more information, visit www.electran.org.
ETA 2010-2011 BOARD OF DIRECTORS OFFICERS PRESIDENT Rick Pylant Chairman & President COCARD Marketing Group LLC
EX-OFFICIO Carla Balakgie CEO Electronic Transactions Association
Kim Fitzsimmons Senior Vice President—First Data Services First Data Corporation Robert McCullen CEO Trustwave
PRESIDENT-ELECT Eddie Myers President & COO Payment Processing Inc. TREASURER Roy Banks CEO ACCELERATED Payment Technologies Inc.
Jan Estep President & CEO NACHA
Diana Mehochko President TSYS Merchant Solutions Jeff Rosenblatt President EVO Merchant Services
SECRETARY Tom A. Wimsett Chairman & CEO J&T Ventures
Debra Rossi Executive Vice President Merchant Payment Solutions Wells Fargo Bank
IMMEDIATE PAST-PRESIDENT Holli Targan Partner Jaffe, Raitt, Heuer & Weiss P.C.
Kurt Strawhecker Managing Director The Strawhecker Group
Sameer Govil Head of Acceptance Solutions Global Aceptance Visa Inc. Steve Carnevale Senior Vice President/Group Head Commerce Development MasterCard Worldwide Ron Shultz Vice President American Express Gerry Wagner Vice President Discover Financial Services
ADVISORY COUNCIL Tom Bell CEO Bank of America Merchant Services
DIRECTORS Todd Ablowitz President Double Diamond Group
LEGAL COUNSEL Dave Goch Attorney at Law Webster, Chamberlain & Bean
Donald Boeding President—Merchant Services Fifth Third Processing Solutions
Robert Baldwin President & CFO Heartland Payment Systems Inc.
Chuck Harris President NetSpend
Gregory Cohen President Moneris Solutions
Chris Hylen General Manager & Vice President Intuit
Gary Goodrich CEO ProPay Inc.
Mike Passilla President & CEO Elavon
Advertisers index Company Authorize.Net Discover Network Elavon Electronic Merchant Systems eProcessing Network, LLC First American Payment Systems First Data/CARP PacNet Services Ltd. Planet Payment Security Metrics Total Merchant Services, Inc TSYS USA ePay
Page C2 1 25 C3 16 2 5 11 19 13 C4 7 22
866-437-0491 224-405-0900 678-731-5236 800-726-2117 800-296-4810 866-GO4-FAPS 1-800-298-3025 604-689-0399 516-670-3200 801-724-9600 888-84-TOTAL x9411 706-644-4422 866-872-3729
www.authorize.net www.discovernetwork.com www.elavon.com www.emscorporate.com www.eprocessingnetwork.com www.go4faps.com www.firstdatapartners.com/partners www.pacnetservices.com www.planetpayment.com www.securitymetrics.com www.upfrontandresiduals.com www.tsys.com www.usaepay.com
Transaction trends | March 2011 27
Risk and Reward Flexibility and a commitment to customer service drive Verifi’s risk-management business By Kim Fernandez
lexibility and a commitment to customer service, rather than advertising, have propelled Verifi Inc.’s successful history. Founded in 2005, the Los Angelesbased company specializes in a wide variety of fraud management services for card-not-present (CNP) merchants. “Historically, we’ve done very little marketing,” says Cory Capoccia, vice president of strategic partnerships. “We get a lot of direct referrals.We work with the different acquirers, the issuing banks, and we work closely with different vendors in the transaction supply chain on shopping carts, management systems, and call centers.” One of Verifi’s biggest business lines is representing vendors in “Merchants will have to accept chargeback situations. “This is an ever-present probglobal-level transactions, and lem for merchants in a CNP envivery little is understood by ronment,” says Capoccia. “As more and more are moving toward online merchants, traditionally, in and e-commerce, we’re seeing a lot terms of the risks involved in of consumers having less loyalty to merchants in general.They’ve been accepting international transtrained to find the path of least reactions.” —Cory Capoccia sistance, and they realize they can flip over the credit card or go online through a Web portal to dispute charges for any reason.”
Individualized Services Verifi sees three main types of chargeback fraud: friendly fraud, when the consumer legitimately makes a purchase but later claims they didn’t receive the item; family fraud, when a child uses a parent’s card to run up bills and the parent later disputes the charges; and true fraud, when purchases are made using a stolen card number. “When a consumer goes to the site, we try to provide our clients with as many different data points as they can possibly interpret—information about that consumer and his or her shopping past—so that the merchant can make a decision about accepting that charge,” says Capoccia. “We can layer in both proprietary and third-party vendor technology to provide a layered solution that uses different technologies,” he continues. “That enables merchants to customize their own thresholds and decide if they want to be more relaxed or more guarded as they 28 March 2011 | Transaction trends
consider new customers.” The company also offers location information, device fingerprinting, and the use of internal databases to further investigate individual consumers.This allows merchants to decline high-risk customers or flag them for manual approval and a more detailed order confirmation process. “I use the term ‘risk’ very broadly,” Capoccia notes.“We look at risk as being made up of a number of different components,” such as risk of refund, risk to profitability, and risks of chargebacks. For the latter, Verifi will take a personal approach for clients who opt for that service. “We have an in-house team that merchants can outsource chargebacks to,” he says.“They’ll fight chargebacks when we believe the original charge was good, and help merchants to recover that revenue.”
Forward Thinking In the future, Capoccia believes merchants will need to face down new forms of fraud, including those stemming from increased international transactions and mobile payments. “E-commerce cannot continue to be domestic,” he says. “Merchants will have to accept global-level transactions, and very little is understood by merchants, traditionally, in terms of the risks involved in accepting international transactions.” The ubiquity of cell phones also is a source of both opportunity and risk. “Every time we see a phone come out, it’s with new technology,” Capoccia says. “More people are relying on that little device to run their transactions and shop. It’s really uncharted territory.” Those new challenges will call on fraud services providers to develop new solutions.That’s one reason Verifi is open to partnerships, such as the one it recently launched with Demandware LINK that will quickly add new services and technologies to its clients’ options. “This will help us leverage all of these solutions without having to run transactions through our gateway,” he says.“You can use our chargeback representation service without necessarily running transactions through us.” TT Kim Fernandez is a contributing writer to Transaction Trends. Reach her at email@example.com.
GET THE REAL STORY. REAL REPS. REAL SUCCESS.
What makes you good sales agents? Having the same regard for each customer, no matter how big or small. Why do merchants choose you? We always put ourselves in their shoes. We know what it’s like to get the runaround and our service is always up-front. What’s your aspiration? To build long-term ﬁnancial security for our kids. And to enjoy some of the ﬁner things today, by earning well above the average. Chris, what’s your inspiration? I grew up relatively poor compared to many of my friends in high school. I think seeing their much nicer homes and nice vacations, etc. deﬁnitely made an impression. Monica, how do you maintain your work/life balance? I leave work at the ofﬁce and the computer off at home, otherwise I get sucked into the email trap! What were your residuals before the TMS Free Terminal Placement Program? Average. Residuals now? Way above average! What’s the best decision you ever made? Joining Total Merchant Services as sales partners. What’s your greatest accomplishment? Our family. Your perfect weekend? Being with the kids at the beach.
Chris and Monica Collins Business Credo: Give a lot to get a little.
Start writing your success story today! Join the team with a proven track record. Check out Total Merchant Services program details at www.upfrontandresiduals.com or call us toll-free at 1-888-84-TOTAL ext. 9411 Total Merchant Services (TMS) is a Member Service Provider for: HSBC Bank USA, National Association, Buffalo, NY.
The Official Publication of the Electronic Transactions Association