Merchant Processing. Trends and Truths. Roger Raney TransFirst Regional Sales Manager

Transcription

1 Merchant Processing Trends and Truths Karen Miles US Rice Producers Association Financial Director Roger Raney TransFirst Regional Sales Manager Andrea Cruz-Lawson Cadence Bank N.A. VP Treasury Mgt. Sales Officer

2 Panel Discussion What do you need in a Merchant Services partner? What do you want in a Merchant Services partner? What keeps you up at night critical business challenges? As my advisor, tell me what I don t know?

3 Panel Discussion What do you need in a Merchant Services partner? Help translating my existing merchant statement & identify cost saving efficiencies. High level of customer service with prompt response times. Settlement transmission time frames for Visa, MasterCard, Discover, American Express? Guidance on which to accept?

4 Panel Discussion What do you want in a Merchant Services partner? Web integration that provides reconciliation reporting. E-Commerce point of sale web presence to accept payments. Dynamic payment options to pay multiple accounts with multiple credit cards.

5 Panel Discussion What keeps you up at night critical business challenges? Am I protecting our corporate interests, what is my liability in the event of a security breach. How can I control expenses & manage surcharges to increase my bottom line? What is merchant insurance, does my current policy provide me with sufficient coverage?

6 Panel Discussion As my advisor, tell me what I don t know? PCI Compliance Guidelines, what you are responsible for. How to avoid downgrades and the disadvantages of Daily Discounting. The benefits of partnering with a Direct Processor vs. an Independent Sales Office (ISO).

7 Agenda Surcharges Here we go! Why EMV and Why Now? Achieving PCI-DDS Compliance The Square Good News or Not So Good News

8 Surcharges Here we go! Merchants who choose to surcharge will be required to follow certain requirements, including disclosure of surcharge practices to customers at the store entry point and at the point of sale. The following information and resources are available to assist merchants who opt to surcharge in preparing for these changes: Merchants who choose to surcharge must notify Visa and their acquirer 30 days prior to beginning to surcharge

9 Considerations and Requirements

10 Surcharge Notification Sample We impose a surcharge on credit cards that is not greater than our cost of acceptance

11 Why EMV and Why Now?

12 What is EMV-Europay MasterCard and Visa EMV is based on strong cryptography (both symmetric and asymmetric) and elaborate key management; a fundamental EMV principle is to digitally sign payment data to ensure transaction integrity. As opposed to magnetic stripe technology, a chip is extremely difficult to crack; card authentication and PIN verification are performed automatically and objectively by the chip. EMV s dynamic data feature basically says if you can t prevent data from being stolen, make the stolen data useless because dynamic data is only useful for the sole transaction it characterizes, nothing more.

13 Why EMV and Why Now? There are many reasons why EMV chip technology makes sense for the United States. These are some of the major factors: It is the consensus amongst observers although there are no published fraud numbers in the U.S. like there are in other domestic markets that physical world fraud in the U.S. is already above the global average and still on the rise.

14 Differences and Benefits of EMV EMV chip card transactions improve security against fraud compared to magnetic stripe card transactions that rely on the holder's signature and visual inspection of the card to check for features such as hologram. The supposed increased protection from fraud has allowed banks and credit card issuers to push through a 'liability shift' such that merchants are now liable.

15 Liability Shift Dates United States Liability Shift Dates American Express is implementing a liability shift for point of sale terminals in October, For pay at the pump, at gas stations, the liability shift is October, Discover is implementing a liability shift on October 1, For pay at the pump at gas stations, the liability shift is October 1, Maestro is implementing a liability shift of April 19, 2013, for international cards used in the United States.

16 Liability Shift Dates United States Liability Shift Dates MasterCard is implementing a liability shift for point of sale terminals in October, For pay at the pump, at gas stations, the liability shift is October, For ATMs, the liability shift date is in October Visa is implementing a liability shift for point of sale terminals on October 1, For pay at the pump, at gas stations, the liability shift is October 1, For ATMs, the liability shift date is October 1, 2017.

17 Differences and Benefits of EMV Cardholder Inconvenience Abroad With market penetration of EMV technology deployment growing around the world, in particular the nearly 100% coverage in the Single Euro Payment Area (SEPA) and soon to be in Canada, the magnetic stripe technology becomes more and more archaic. Mobile and Contactless Implementing EMV chip technology in the United States will speed up mobile and contactless payments and make them more secure. The devices that accept EMV chip cards are dual contact/contactless devices. By installing these devices to accept EMV, merchants are also readying themselves to accept mobile and contactless payments as well.

18 EMV and the Technology Innovation Program Effective 1 October 2012, Visa expanded the Technology Innovation Program (TIP) to the U.S. TIP rewards merchants that have invested in EMV technology by eliminating the requirement to validate compliance with the Payment Card Industry Data Security Standard (PCI DSS) for any year in which at least 75 percent of the eligible merchant s Visa transactions originate from dual-interface EMV chip-enabled terminals Terminals must be enabled to support both EMV contact and contactless chip acceptance, including mobile contactless payments based on NFC (near field communication) technology. Contact chip-only or contactlessonly terminals will not qualify for the U.S. program.

19 Technology Innovation Program To qualify for the program and receive its benefits, U.S. merchants must meet all of the following criteria: The merchant must have validated PCI DSS compliance within the previous 12 months or have submitted to Visa (via their acquirer) a defined remediation plan for achieving compliance, based on a gap analysis. The merchant must have confirmed that sensitive authentication data (i.e., full contents of magnetic stripe, CVV2 and/or PIN data) is not stored, as defined in the PCI DSS. At least 75 percent of the merchant s total transaction count must originate from dual-interface (contact / contactless) enabled chip-reading device terminals. The merchant must not be involved in a breach of cardholder data. A breached merchant may qualify for TIP if they have subsequently validated PCI DSS compliance.

20 Achieving PCI-DDS Compliance

21 What is PCI-DDS The Payment Card Industry Data Security Standard (PCI DSS) is a set of requirements designed to ensure that ALL companies that process, store or transmit credit card information maintain a secure environment. Essentially any merchant that has a Merchant ID (MID). The Payment Card Industry Security Standards Council (PCI SSC) was launched on September 7, 2006 to manage the ongoing evolution of the Payment Card Industry (PCI) security standards with focus on improving payment account security throughout the transaction process.

22 Who Does PCI-DDS Apply to PCI applies to ALL organizations or merchants, regardless of size or number of transactions, that accepts, transmits or stores any cardholder data. Said another way, if any customer of that organization ever pays the merchant directly using a credit card or debit card, then the PCI DSS requirements apply. Utilizing a third-party processor does not exempt PCI compliant requirements. Merely using a third-party company does not exclude a company from PCI compliance. It may cut down on their risk exposure and consequently reduce the effort to validate compliance. However, it does not mean they can ignore PCI.

23 PCI Compliance Levels and Requirements

24 PCI-DDS Penalties Potential penalties for Non-Compliance are as follows: The consequences of not being PCI compliant range from $5,000 to $500,000, which is levied by banks and credit card institutions. Banks may fine based on forensic research they must perform to remediate noncompliance. Credit card institutions may levy fines as a punishment for noncompliance and propose a timeline of increasing fines. The following table is an example of a time-cost schedule which Visa uses.

25 Branch Consequences Even if a company is 100% PCI compliant and validated, a breach in cardholder data may still occur. Cardholder Breaches can result in the following losses for a merchant. $50-$90 fine per cardholder data compromised Suspension of credit card acceptance by a merchant s credit card account provider Loss of reputation with customers, suppliers, and partners Possible civil litigation from breached customers Loss of customer trust which effects future sales For more information on PCI Data Security Standards (PCI DSS)

26 The Square Good News or Not So Good News

27 The Square Overview Founded in February of 2009 by Jack Dorsey who is also the founder of Twitter.com, Square has seen tremendous growth in a very short amount of time. Much of the company s success can be attributed to the fact that Square has ingeniously broken the mold of credit card processing by removing the traditional barriers-to-entry that restricted processing services to actual businesses and instead brings credit card acceptance to the individual, or essentially anyone and everyone.

28 The Square Overview Signing up for the service is simple: iphone, ipad and Android users simply fill out a quick form, download the Square app, and then await the arrival of the Square up reader in the mail. The Square credit card reader plugs into the headphone jack of the phone or tablet thereby making it a mobile credit card terminal. In fact, Square s model has been so successful that it has attracted big name competitors such as Intuit (GoPayment) and North American Bancard (Pay Anywhere), as well as numerous others both domestically and internationally.

29 The Square The Good Merchants have two pricing options: First, pay a single flat rate of 2.75% for swiped transactions and 3.5% + $0.15 per typed transaction (as of this review). Or, pay a flat monthly fee of $275 and 0% on swiped transactions up to $250,000 in processing per year (keyed transactions still cost 3.5% + $0.15 each). Although the transaction rate for the first pricing option is higher than the Qualified rate of most traditional merchant accounts, it is comparable to the Mid-Qualified and Non-Qualified downgrade surcharges that about 80% of most transactions experience with a traditional merchant account anyway. The rate is, however, much more expensive than the Interchange Pass-through rate pricing model. The second pricing model becomes lessand-less expensive once merchants swipe more than $10,000 in sales per month, but there is no savings for keyed transactions.

30 The Square The Not So Good Square does not verify the credit history of its customers prior to approving an account, so it sets a few limitations to avoid potential losses to fraud. Square states that there is no limit to the amount of money that can be accepted per transaction or per month through its service which is only partially true. Instead of setting processing limitations and denying transactions once users reach their limit, which is something most other processors do, the company relies on two tactics to mitigate potential losses due to fraud. The tactics allow merchants to accept an unlimited amount of credit card sales, but with a catch. (see next slide)

31 The Square The Not So Good Square places holds on funds of card-not-present sales for 30 days if more than $2,002 is charged within any rolling seven day period. This means that if merchants key-in $2,100 in sales within a seven day period (either in a single transaction or in multiple transactions), the extra $98 ($2,100 $2,002 = $98) will be held by Square for 30 days. This policy appears to generate much confusion among users because Square does not provide any warning before the $2,002 limit is reached.

32 The Square The Not So Good Square appears to rely on undisclosed algorithmic risk factors to place automatic holds on transactions that it deems suspicious. The system appears to flag a high number of legitimate transactions and can cause serious problems for some merchants. Numerous merchants report that Square never notified them of the hold, or the reason for placing it, and they only discovered it only when they stopped receiving deposits from their sales.

33 Square Customer Service and Complaints The majority of the complaints fall into three areas: Virtually non-existent phone support, misunderstanding and non-disclosure of the $2,002 cardnot-present deposit hold policy, and reports of random fund holding exceeding 30 days with no explanation or communication from Square. The company appears to rely too heavily on customer service provided by , a Twitter support page, and a support blog. This can pose a big drawback for many merchants, especially for those who are not willing to wait for an response. For more information:

34 Questions Karen Miles US Rice Producers Association Financial Director Roger Raney TransFirst, LLC Regional Sales Manager Andrea Cruz-Lawson Cadence Bank N.A. VP Treasury Mgt. Sales Officer Thank you for coming!