by Michael Dattoma
Q: Do I need to accept credit cards with a “chip” at my stores? I’ve been told there will be a deadline to do this. My equipment only accepts the magnetic swipe cards and I don’t see many “chip” cards.
A: Great question—there’s a lot of confusion about this. There’s a big shift in the payment space in the works called EMV (Europay/MasterCard/Visa), and it will be firmly hitting home by October 2015. Commonly known as chip and pin cards, the chip refers to the integrated circuit built into the card, and the pin is familiar ability to input a pin number to secure the transaction. All merchants in the U.S. will have to be very familiar with the impact of chip and pin or face consequences. Let me explain.
Chip and pin is already the standard in Europe and Canada. Magnetic swipe cards, which the majority of Americans carry in their wallets, are easily forged and are the cause of a great deal of fraud. Much of that fraud is absorbed by the banks that issue the credit cards, and they want to reduce that exposure by implementing chip and pin.
Why now, you ask? The more secure EMV technology has had many starts and stops here in the U.S., with many bank card issuers having offered “smart” cards with chip technology, but that’s been a drop in the bucket in terms of acceptance and impact. The issue has been cost: it is very expensive for the banks to change over all the magnetic swipe cards, and upgrade their systems to accept this technology.
All of that is about to change when banks shift the liability in credit card transactions to merchants by October 2015. Yes, you heard that right. If the merchant doesn’t have a chip and pin-capable POS system, the liability of fraudulent credit card transactions will fall firmly on his shoulders. That is the huge lever the banks will use to get merchants to make the necessary investment to purchase EMV-equipped terminals and POS systems.
The banks will still issue cards that have both the magnetic swipe and the embedded chip and pin technology. They don’t want a situation where a transaction cannot be processed if a merchant does not have the EMV equipment. However, if the card is used with the magnetic swipe, the liability will fall on the merchant.
These liability shifts have already taken place all over Europe, so this is nothing new, but it’s now going to have teeth in the U.S. market. Credit card fraud totals $8.6 billion a year so the banks are eager to roll out EMV cards and force merchants to upgrade their systems to accept these cards.
So as stated, October 1, 2015 will be the EMV “D Day” when all merchants that accept credit cards must have the ability to accept EMV cards in the U.S. or they will be liable for fraudulent charges. Since this will require a new investment in hardware (and as frustrating as that might be), it may be a good opportunity to think broadly about your point-of-sale in general and use this as an opportunity to enhance your POS system beyond just becoming EMV compliant.
This can be an opportunity to upgrade outdated retail technology to improve how you engage with customers, track your inventory, improve reporting, run mobile transactions on your sales floor, deliver omni-channel (store and web) integration, address PCI compliance, etc.
If you would like more information on EMV technology, or have any questions related to point-of-sale, you can reach Michael Dattoma atMichael@retailmerchantservices.com.
by Michael Dattoma
Q: I understand there are some really high penalty rates with Visa and Mastercard for not following proper procedure. How do I know if I am doing things correctly so I can avoid penalty fees?
A: Yes, you are correct, and this will lead me deeper into the topic of Interchange Plans. In the past couple of months I have had a lot to say about Interchange rates (see here and here), and the benefits of being on an interchange passthrough plan for credit card processing—especially in light of the recent changes to debit card interchange costs by the federal government.
With an interchange plan you get the benefit of seeing all Visa and Mastercard wholesale interchange rates with full transparency. There is absolutely nothing to hide, no malicious markups, and that is what helps to eliminate much of the mark ups retailers see with traditional “tiered” rates plans.
Now, to answer your question, I would like to pull back the curtain further and explain the two interchange classifications that are highly punitive to retailers for failing to follow proper Visa/Mastercard procedures. They are the EIRF (Electronic Interchange Reimbursement Fee) for Visa, and the innocuously named, but very onerous, Standard Electronic Interchange Reimbursement Fee, for both Visa and Mastercard.
Before I explain how to avoid the EIRF and Standard fees I must warn you: if you are not on an interchange plan you will not even see them listed on your statement. On tiered plans they will be tossed into a large bucket called “non-qualified” for the biggest downgrades, without explanation. What you don’t know in tiered rate plans can really hurt you.
Electronic Interchange Reimbursement Fee (Visa only)
First, let’s go over a few toxic scenarios that make good transactions downgrade to EIRF.
Not settling transactions within 48 hours: If you have a batch of transaction that were all correctly authorized, but not properly settled in time, all the sales would default to EIRF. That would take you from a 1.54% + $0.10 cents interchange to 2.30% + $0.10. Ouch!
This also becomes a problem if you authorize a sales order and then wait to ship the goods after 48 hours. If you use the same authorization number beyond the 48 hours you will default to EIRF.
Solution: Always settle your batch nightly. If you ship past 48 hours of the initial card authorization, get a new authorization number on the day you ship to avoid EIRF.
Mismatch between the authorized sale amount and the “settled” amount: If someone comes into your store, and you ring them up for $250 in merchandise and obtain an authorization, what do you think happens if they decide to leave out one item and reduce the sale to $225? If you use the same authorization number that you obtained for the $250 (even though it is a lesser amount), than the EIRF strikes again. While most merchants know it is okay to use the same authorization if it’s under the approved dollar amount, they don’t realize that it defaults to EIRF.
Solution: Get a new authorization code if the sales amount changes, even by a penny. Make it a policy…educate your employees to do this.
Not getting an Address Verification on a keyed-in transaction: You are required to obtain an address verification on all keyed-in sales (phone, web, catalog). If you do not, they will default to EIRF.
Solution: Enter all AVS (Address Verification Service) information when prompted at the point-of-sale and enter the fields correctly. Make sure your POS software or terminal is programmed to prompt for AVS on all keyed-in sales.
Authorization is obtained by voice, and then authorization is “forced”: There will be times you will need to call in for authorization and then “force,” or manually key-in, the authorization code into the POS or terminal. Just realize that when this is done, they will default to EIRF so try to limit this as much as possible.
Standard Electronic Interchange Reimbursement Fee (Visa and Mastercard)
Now that EIRF has been exposed, let me introduce you to other part of the two-headed beast of interchange, the Standard Reimbursement Interchange Fee.
Unlike the EIRF, which only applies to Visa, the Standard applies to both Visa and Mastercard. The Standard interchange is even worse than EIRF and comes in on average at around 3 percent.
The Standard is similar to the EIRF in that it is a penalty for transactions that do not meet Visa and Mastercard requirements. The Standard will be triggered for Mastercard on transactions that do not settle within 48 hours but they also rear their head most often with business cards. Business cards require certain information at the register to qualify for the lowest rate and if that info is not captured, Standard fees come into play.
Standard downgrades, assuming you are on an interchange plan and can see them, are categories such as Visa Corporate Standard or Visa Domestic Standard card-not-present, and will largely occur due to the lack of submission of required data. (Called Level I, Level II, Level III data, which I will talk about in a separate article.)
You will also see the Standard charged on Mastercard transactions for all the reasons I mentioned previously that create EIRF downgrades on Visa: timeliness, no AVS, etc.
The key is awareness of what causes these downgrades and having a plan of action to stop them. Again, you cannot remedy what you cannot see and this is another reason why interchange plans are so critical and offer the merchant insight tiered plans do not.
They allow you to see your procedural mistakes and correct them. If you are not settling batches in a timely fashion, not getting AVS on keyed-in sales, not providing the proper data for business cards, you will know it on interchange, and be able to stop it to avoid the EIRF and Standard penalty fees.
In conclusion, you can see that keeping merchants in the dark on this stuff is very profitable. Most retailers focus on just the one rate for swiped cards, and not on the cost of downgrades to EIRF and Standard. This is just another reason you should be on an interchange passthrough plan, not to mention the lower debit rates you will receive in October 2011.
If you would like to discuss the benefits on interchange pass-through in more detail, e-mail me at michael@retailmerchantservices.com.
by Michael Dattoma
Q: We currently run a premises-based point-of-sale system to run our eight stores and we’re facing an expensive upgrade of hardware and software. I’d like to investigate getting out of managing my IT internally, a huge hassle in time and money, and using a cloud-based, hosted solution. What are the advantage of cloud systems? I was at the NRF show and just overwhelmed by all the options.
A: You are not alone. Many retailers today are running older, legacy POS systems with old hardware and have reached a point where they much decide their future direction. Do they invest in an expensive upgrade of current hardware and software, and continue to absorb the costs of maintaining the system internally, or do they migrate to a subscription based, Sofware-as-a-Service, or SaaS cloud based solution?
Since you were at the recent NRF show in New York, you saw that cloud solutions for POS are all the rage. They have achieved momentum as retailers have become much more comfortable with the idea of outsourcing their IT and having their POS run off very powerful browser-based technologies over the web. For some time the big fear was what would happen when the internet goes down, would the stores still be able to run sales? All of those redundancy issues have been addressed with the next generation of cloud POS solutions.
Cloud POS is allowing retailers to have all their stores data hosted in the cloud, yet maintain absolute control. They are getting reporting data in real time, with no painful polling as the data is constantly flowing upward from the stores to the HQ hosted in the cloud. In addition, e-commerce is hosted in the same cloud creating powerful omni-channel retailing where all channels share data seamlessly, in real time.
Cloud POS has also empowered retailers to utilize fully integrated mobile POS, via iPads that not only ring sales but bring all the power to the systems reporting, CRM, physical inventory, inter-store transfers, and receiving all down to the tablet. That is remarkably efficient.
And finally, the biggest boon for retailers in the far lower cost of cloud solutions. Cloud POS solutions can deliver a reduction in total cost of ownership (TCO) as great as 55% compared to traditional, on-premises solutions. That is according to a four-year study conducted by Hurwitz & Associates.
With a cloud solution, you pay a monthly subscription and all the upkeep, development, and keeping the system on the cutting edge is maintained in the cloud by the provider. No more expensive, time consuming upgrades.
The key to it all is selecting the right partner, talking to a lot of customers who are on the system, and then making the move. If you want to get out of IT and focus more on your customers, the cloud can set you free.
If you would like to learn more about cloud POS you can contact Michael Dattoma at 800-501-8691.
by Michael Dattoma
Are you seeing your “Durbin Dollars”?
Q: I understand that the cost to process my swiped Visa/Mastercard debit cards came down on October 1st because of the Durbin Amendment. How can I determine if I am getting the full reduction in those bank fees?
A: That is a great question, that requires some detail to answer. Let me walk you down a path to understanding how to determine if you are getting your share of the debit card cost reduction.
It is true that the federal government put a cap on debit card rates that took effect in October 1, 2011 because of the Durbin Amendment (Part of the Dodd-Frank Wall Street Reform and Consumer Protection Act) passed in Congress. This legislation has effectively dropped the cost of debit (either swiped or pin-based) by over 80 percent by the Federal Reserve.
That is obviously a massive savings opportunity for your business, and the largest drop in fees I have ever witnessed in my industry.
But the truth is the majority of merchants will not see much—if any—of that reduction. You’re probably asking how this could be, given the fact that this was an act of Congress. While it is a fact that the Durbin Amendment requires banks to lower the debit card fees they charge merchants, it DOES NOT require your credit card processor/bank to pass that reduction to you.
What you need now is an education on how to get your share of the Durbin Debit reduction.
Your October 2011 credit card statement will tell you if you are getting the debit reduction or not.
You probably just recently received your October 2011 credit card statement and that will speak volumes. That statement will reveal whether your bank/processor has decided to pass on the reduction to you, or keep it all as additional profit.
Let me walk you through four simple steps to determine whether or not you are seeing the “Durbin Dollars,” or the reduction in debit card fees, on your credit card statement.
Step 1: Open your October 2011 Visa/MC statement that just came in the mail. Let me point out that the massive reduction for debit cards is for both swiped Visa/MC debit cards as well as pin-based debit. Many retailers are under the false impression this reduction is just for pin-based debit. Not true. This covers all regulated Visa/MC swiped debit transactions which are cards issued by banks with over $10 billion in assets. (That is the majority of debit cards in circulation.)
“Non-regulated” debit cards are issued by banks with under $10 billion in assets and they were completely exempt from this legislation. The Interchange fees you are charged for those debit cards remain the same.
Step 2: Check your statement to see if it shows a section called “Summary of interchange fees,” which gives a detailed breakdown on all interchange categories, which is the wholesale cost of each card type you accept.
Warning: If you see “tiers” like qualified, mid-qualified and non-qualified you are definitely NOT on an interchange plan, and have ZERO chance of seeing the full Durbin reduction. Those tiers are a red flag that you are severely overpaying for processing.
Step 3: If you do see an interchange category, check to see if “regulated debit interchange” (again, regulated debit cards are issued by banks with over $10 billion in assets) for Visa and MC is listed as the new, heavily reduced, .05% +.22 cents. Look hard for .05% +.22 cents! If it is not listed as such, you are not getting the full reduction in debit interchange passed to you.
Again, on October 1, the interchange rates for regulated debit cards were reduced to .05% +.22 cents from their previous debit rates that average 1.00% +.17 cents.
Did you get that? It dropped from 1.00% down to .05% on the rate component for debit cards. A massive drop. Now don’t let these numbers make your eyes glaze over. Please pay attention carefully as it will save you a lot of money.
For example, if you were on an interchange plan on October 1, on a $200 sale you would now pay 32 cents for swiped debit interchange instead of the $2.17 cents you now pay. That is a $1.85 cent savings on that one sale that you should be getting on debit. An 85% drop in fees!
But, as I stated earlier, the majority of merchants will not see any of that savings. They will pay the same exact high rates for debit rates as if nothing ever changed simply because the interchange savings are not being “passed-through.”
Step 4: If you don’t see the .05% +.22 cents anywhere on your statement, it is time to take action since you are not getting your fair share of debit reduction. This means that you are most likely on a tiered rate plan or a bill back plan; both have inflated surcharges.
As a recap from my previous articles, let me explain why the majority of merchants will not see their Durbin debit reduction on their October statement.
The reason they are not getting their fair share is that they are not on the same rate structure of the large chains, an interchange passthrough plan. Instead they are on antiquated rate plans that do not pass thru these benefits, the tiered rate plan, or a bill back plan. On a tiered rate plan debit card rates are locked in at a percentage and are not automatically reduced when there is a reduction of the underlying interchange percentage.
Tiered plans are easy to spot, but there is a faux interchange plan, called a bill back plan, that is more onerous than tiered plans in driving up fees. It is more deceptive because to the untrained eye, it looks like an interchange plan. For a full discussion of interchange plans, see my earlier article. And for an in-depth treatment of the cap on debit card interchange, see this article.
If you would like more information on how you can benefit from interchange passthrough plan, please email me at michael@retailmerchantservices.com or visit us at www.Interchangemadeeasy.com.
by Michael Dattoma
Q: Can you please help me understand what I need to do for PCI compliance? I know it’s important to secure data, but I can’t help but think that PCI is a scam, just a way for vendors to grab money out of my pocket without any measurable return.
A: Sure, and I understand. PCI (Payment Card Industry) compliance has been a cause of both great concern and great confusion to retailers. There has been much fear, uncertainty and doubt on the part of retailers about the best way to secure their customer credit card information from hackers, coupled with frustration and resistance given what seems like an insurmountable task that will cost retailers money. They ask, will there be an ROI? What am I getting for the time, effort and money I am putting into PCI compliance?
Let me start off by saying that PCI compliance is very real, here to stay, and serves a very important purpose, to protect your customers’ credit card data. And protecting data, especially customer data, is a best practice that should be taken seriously regardless of any mandates by PCI. But with so many companies vying for your PCI compliance dollars, merchants can feel that the entire PCI compliance machine is just a big money grab.
It’s easy for a merchant to become jaded and lose sight of the seminal point of PCI. It’s about protecting your business from a data-breach that can compromise your clients’ credit card data. The reality is that it can potentially devastate your business, as well as cost you a fortune in fines and fees.
So let me give it to you straight, PCI data standards are not optional. Merchants discovered to be out of compliance can be hit with serious fines: anywhere from $5,000 to $100,000 per month, at the sole discretion of the card brands. Depending on the size and overall health of your small business, being handed one of these fines could mean a major problem or total bankruptcy. Beyond the fines, your business reputation is at stake when you are responsible for securing client data.
Now that you hopefully see that PCI is real and important, you need to have a plan of action for PCI compliance. Allow me to review some facts about PCI, and walk you through some steps to take:
The full name of the organization that created the security standards is “The PCI Security Standards Council,” or PCI-SSC, which is an organization founded by American Express, Discover, JCB International, MasterCard, and Visa.
The PCI-SSC mandated the PCI-DSS (Data Security Standard) which is comprised of 12 steps required for retailers to properly secure their credit card data (view those 12 steps here). PCI-DSS mandates that any merchant who takes payments must be PCI-DSS compliant and it is the merchant’s responsibility to ensure that compliance. These 12 steps are best practices for any organization to secure their data.
In the PCI-DSS world, retailers are divided into four levels to determine compliance requirements. So the first step is to determine what level your business falls into:
Level 1: More than 6 million Visa/MasterCard transactions per year.
Level 2: 1 million to 6 million Visa/MasterCard transactions per year.
Level 3: Merchants processing 20,000 to 1 million Visa e-commerce transactions annually.
Level 4: Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually.
Most of the independent specialty retailers we serve fall into the Level 4 grouping. Once you’ve determined your level under PCI, what is your next move? If you’re Level 1 or 2, then you need to hire an auditor, called a QSA or “Qualified Security Assessor” to verify your compliance with the PCI-DSS standard. The PCI Security Council has developed a set of self-assessment questionnaires (SAQs) that can be used by Level 3 and Level 4 merchants to help them figure out if they’re compliant with the PCI-DSS standards.
There are 4 different SAQ forms to use depending on the following criteria:
SAQ A: Card-not-present (e-commerce or MOTO) merchants, all cardholder data functions are outsourced. This would never apply to face-to-face merchants.
SAQ B: Stand-alone or dial-up terminal merchants with no electronic cardholder data storage.
SAQ C: Merchants with payment application systems (POS or credit card processing software) connected to the internet with no electronic cardholder data storage.
SAQ D: All other merchants not covered above, and service providers.
You can download the SAQ forms directly at pcisecuritystandards.org.
What is validation?
In addition to PCI compliance, there are also PCI validation requirements (depending on what level retailer you are, as discussed above) which means you need to prove you are compliant by submitting validation certificates, SAQs and network scans to the PCI Security Council or your payment processor.
Your validation requirements, deadlines and penalties for non-compliance will vary depending on your PCI level, and what your payment processor may require of you. Validating PCI compliance is required for levels 1, 2 and 3 retailers but not set in stone for Level 4 retailers. The reason for the Level 4 ambiguity is there is much debate on who will own the process to make sure level 4 retailers are PCI Compliant.
Many payment processors are now taking on that role and forcing their merchants to validate and document compliance or face monthly penalties, and there are others that choose to educate the merchants and direct them on the best course of action. At this time, it is totally up to the credit card processor for level 4 merchants whether they need to validate their compliance.
The bottom line
So you will either be self-policing your PCI compliance and filing away an SAQ each year, or you may be asked by your processor to validate your compliance by completing an SAQ and performing quarterly network scans. These scans must be performed by an approved scanning vendor (ASV), as specified by the PCI Security Standards Council.
All retailers who take credit cards need to complete the SAQ annually, and if they have difficulty can work with their POS or IT support to help them, as well as the many approved organizations that specialize in helping retailers complete the SAQ and run scans.
You need to take the PCI-DSS seriously and be proactive and develop best practices to secure your data and networks. Get deeply acquainted with the SAQ, and get it completed. If you want to be more proactive and get guidance, I recommend working with an ASV and have them help you complete your SAQ and perform quarterly scans to achieve validation.
PCI-DSS is a collaborative effort between parties. Your processor, your POS software company, your IT department and management need to work together to make sure you are complying with the 12 Steps of PCI-DSS.
If you would like more information on PCI, on the 12 Steps of PCI-DSS, or any other questions you may have, please email me atmichael@retailmerchantservices.com.
by Michael Dattoma
Q: Can you explain credit card interchange plans and if they can save me money? I am currently being charged different rate tiers (such as Qualified, Mid-Qualified, and Non-Qualified rates) and my fees seem to keep going up each year. What is my best course of action?
A: Once upon a time, credit card processors created an innocent-sounding system called “bucketing” or tiered plans. That is what you are on currently. All credit card transactions were lumped into three or four neat little groups (buckets), and a corresponding rate was assigned to each. Today, the most common buckets are qualified (if you swipe a card), mid-qualified (if you key-in a card and perform AVS (Address Verification), and non-qualified transactions. (Downgrades for no AVS, not settling on a timely basis, or other penalties.)
So what determines the rates in these buckets? This is where you see how these plans work against you and why your fees are so high. Neither Visa nor MasterCard regulates the bucketing system—which leaves it to the processing company to decide what goes in and out of every bucket. These classifications can vary from one deal to the next, and the processors don’t even have to disclose these terms in the contract you sign. The mark-ups on these plans can be massive, yet since most retailers credit card statements read like hieroglyphics, they go undetected.
Most merchants think bucketed systems are their only option, but some, like you, have discovered the secret of the nation’s largest retailers: the interchange pass-through rate structure.
Interchange rates are the prime rates or wholesale cost that processors pay to the issuing banks (which issue the credit cards to the consumer) that work with Visa and MasterCard. To this basic cost, processors add their fees and administrative assessments to arrive at your final rate. So let’s say you swipe a standard Visa credit card in your store. With interchange pricing, your cost for that transaction is the true interchange rate, or wholesale cost, plus whatever mark-up and per-item fee the processor adds on. Unlike the bucketed system, there are no buckets with completely arbitrary pricing — just one rate schedule for all transactions based on actual Visa/MC costs.
In truth, bucketed systems also have a built-in incentive for processors to downgrade your transactions to mid-qualified and non-qualified, charge higher rates and increase margin. When a card doesn’t swipe correctly or the wrong information is entered to verify the transaction, you pay more and the processor makes more. With interchange pricing, the processor doesn’t profit when problems arise. Your processor acts like a partner, not an adversary, and is much more likely to let you know about inefficiencies in your processing system.
As you can see it’s not just the rate that matters, it is the credit card structure that matters even more. Your qualified rate may look low to you, and easy to spot on your statement, but it is the underlying markups on downgrades and other hidden fees that can cause your effective, true rates, to balloon.
There is another credit card plan called bill back that looks like interchange, (because they break out the different interchange categories) but are really a hybrid of the bucketed rates and are a major red flag for hidden fees. In these plans you are charged a targeted rate, similar to a qualified rate, and then are charged arbitrary surcharges based on different interchange categories that are processed. This plan is the most onerous in that it includes the most hidden fees, with statements that are impossible to comprehend.
There is only one true, pure interchange plan, and that is an interchange pass-through plan. As I have explained, retailers that are not on an interchange pricing structure are most likely paying much higher costs on payment processing.
At first glance, interchange can be a little confusing, but you don’t need to be an expert to benefit from it. Once you are educated on the benefits, you will understand why an interchange pass-through credit card structure is the most advantageous for your business.
If you would like a deeper education on interchange pass-through send me an email and I will send you an overview of Interchange 101.
Recent Comments