It’s hard to beat the convenience of selling products over the internet.Â Not only do you not have to worry about paying the overhead costs of a brick and mortar store (unless you want to), but you can sell to customers that live far from your local market.
If your experience taking electronic payments has been limited to swapping cash with friends via Venmo, you’ve probably got a lot of questions about how to get started. In truth, it’s probably both more and less complicated than you think.
So let’s dive in and try to teach you everything you need to know about eCommerce payments.
1. There’s No One-Size-Fits-All Solution
First, some disappointing news. There isn’t one single “correct” way to handle eCommerce. The right payment processing solution will depend upon a number of factors. Take a business website, for example. Do you currently have one that you’d like to start selling products through? Or are you content to use a premade shopping cart template? If you’re a relatively technical person, you can integrate solutions into your site with software APIs or plugins. If you’re not, you’ll probably want to consider a service that provides that functionality upfront. While you can potentially save money doing it yourself, you’ll need to make sure that you’re keeping your customer’s information secure and reducing your own liability.
You’ll also want to consider the nature of the payments you’ll be accepting. Are your customers just buying a product one-off, or are they subscribing to a service that will require recurring monthly payments?
And of course, you’ll need to take stock of your budget and figure out how much you’re willing and able to spend on payment processing and any additional software services.
2. You Need A Payment Processor And A Gateway
A common point of confusion for people new to eCommerce is that there are actually two components to taking payments online. You need both a payment processor and a gateway. These services may be offered together as a package (PayPal, Square, and Stripe, for example) or separately. If you do end up going with a payment processor that doesn’t include gateway access, you’ll need to get it from a separate service like Authorize.net.
A payment processorprovides an account that allows your business to accept credit cards and receive credit card payments. It’s also used to deduct fees and processing charges associated with the transaction. After the payment gateway successfully processes a transaction, your payment processor receives the information.
AÂ payment gatewayÂ stands in for what would be your point of sale (POS) interface in a brick-and-mortar transaction. It allows you to securely process payments online by relaying the transaction information from your site to the processor, which then requests the payment from the customer’s bank before releasing funds to you. A payment gateway is also responsible for most of the security features associated with online payments as well as offering services like recurring payments and a credit card vault.
Types Of Payment Processors
Because nothing is ever simple in the world of payment processing, you won’t just need to think about getting a payment processor, but what type of payment processor you need.
The safest option is to go with the tried-and-true merchant account. Think of your merchant account as a holding area where all the busy work of receiving a credit card payment happens. Unlike, say, a business checking account, you don’t have direct access to your merchant account or the ability to directly make deposits and withdrawals to it. Instead, it automatically transfers payments to your business bank account, typically a day or two after receiving the transaction.
Merchant accounts are generally stable and you’re unlike to encounter holds, freezes, or terminations unless you have a sudden spike in chargebacks. Because of the underwriting process, merchant accounts are somewhat slow to establish–you’re probably looking at three days or so to get it up and running, though if you are negotiating or your business is particularly complex, it could take longer. The biggest drawback is that they often have minimum credit card transaction thresholds you have to meet; $5,000/month is typical but some expect you to handle at least $10,000/month in credit card sales. Pricing models with merchant accounts vary, and not all of them are great. We recommend interchange-plus pricing because it’s the most transparent and easiest to compare.
So what do you do if your new business isn’t doing that kind of sales volume?
You can turn to a third-party processor (aka payment services provider). Instead of having your own, unique merchant account, a third-party processor puts you in a pooled account with other merchants, from which fees are deducted in a similar manner to the merchant account. Signing up for a third-party processor is typically faster and easier than for a merchant account (you can start accepting payments the same day), but puts you at greater risk of account holds and terminations. Still, they provide an entry point for new businesses, or established ones that want more predictable pricing. Most third-party processors use a flat-rate pricing model where you’ll pay the same fee regardless of the card type; for eCommerce, that rate is commonly 2.9% + $0.30.
3. You Can Accept More Than Just Credit Card Payments
While credit and debit cards will probably make up the bulk of your eCommerce transactions, they aren’t the only way to make payments online.
It seems like every few years a new tech company rolls out their own digitalÂ wallet. We’re talking about services like Apple Pay, Google Wallet, PayPal, Venmo, and Cash App that allow you to link one or more payment sources to a single app account. In person, mobile wallets (a type of digital wallet that lives on your phone) allow you to make near field communication (NFC) purchases at terminals that allow tap-to-pay. In most cases, mobile wallets directly debit a linked credit or debit card while other digital wallets tend to store a balance, which can be used to make payments or be deposited into a bank account.
Many of these services can be used to make payments online as well. If your payment gateway doesn’t support mobile payments out of the box, it probably won’t be that big a deal since the customer can still just pay with the card attached to their mobile wallet. But if you want to go ahead and support mobile payments, you may have to add some code to your store.
The other type of payment you may want to think about isn’t cutting edge. In fact, it’s been around since the 70s: the automated clearing house (ACH). ACH transactions cut out the credit card company middleman and instead establish direct transfers between bank accounts. ACH payments can be one-time transactions, but if you’re using them in a retail context, you’re probably more interested in using them for recurring payments.
ACH is a bit more laborious to use at the point of sale than credit/debit cards, but it is a much less expensive way to process transactions and less prone to fraud and chargebacks. Most payment processors don’t offer ACH support by default, but a number do offer it as an add-on. Failing that, you may need a supplemental service.
Do You Want To Sell Globally? Prepare To Pay More
The internet is a miracle of the modern age, connecting people together and granting you easy access to markets abroad! Right?
While it’s true that you canÂ theoretically sell anywhere in the world, it introduces some additional complexities. For starters, there’s the matter of different currencies. Someone’s got to turn those euros into dollars! Some service providers, like Stripe, will handle currency conversions for you. Keep in mind that this service will usually come at a premium; in the case of Stripe, you’re looking at an additional 2% charge on your transaction.
And of course, you might want to convey the price of your goods to customers in their local currency. This feature usually goes hand-in-hand with automatic currency conversion, but you might need to enable this feature if you want to attract global buyers.
You’ll also need to take local taxes, customs, and duties into account, which means familiarizing yourself with foreign concepts like the value-added tax (VAT), which is used in Europe, Canada, South America, and Africa, as well as China and India. Here again, there are services that can take care of most of this complexity for you, but be prepared to pay for the privilege.
4. You Need To Be PCI Compliant
If you’re doing eCommerce, you’re going to be handling people’s money, and that means security concerns. And yes, yet another acronym.
The Payment Card Industry (PCI) has established a set of guidelines called the PCI Data Security Standard (PCI DSS) designed to minimize the risk of data being compromised by bad actors. So far so good, but PCI compliance is complicated by the fact that it’s actually a set of four different standards. The standard that applies to you is based on the number of debit and credit card transactions you process annually. Risk level four is considered the lowest risk, while risk level one is considered the highest. The fewer transactions you process, the lower risk you are unless there’s a data breach, at which point you’ll probably be considered risk level one regardless of your volume.
It gets a bit complicated, but what this means in practical terms for you is that you want to make sure your payment processor is PCI compliant and that you’re following the guidelines laid out by your PCI-compliant payment processor.
Payment Security Is Important
It can be a headache, but payment security will ultimately help protect your business and save you from costly chargebacks and account freezes. EMV chips have helped to reduce in-person credit card fraud, but unfortunately, that means online transactions are the new low-hanging fruit for fraud.
In addition to maintaining PCI compliance, security features like AVS (Address Verification Service) and CVV (Card Verification Value, that short number you’re asked for sometimes) provide extra layers of verification would-be fraudsters have to work through. Programs like Visa’s 3D Secure are also constantly evolving to make the changing payment security landscape.
How To Find An eCommerce Payment Provider
Got all that? eCommerce payment processing has a lot of moving parts that can confound even the tech-savvy. Having a sense of the functionality you need in advance will make it much easier to select a payment processor and gateway that can handle the transactions your business depends on. But you should also keep in mind how much of a budget you have for the monthly services required to keep your eCommerce setup running, what you can expect to pay for payment processing, and whether you’re going to need some technical assistance in building out your system.
If you’re ready to get started, we recommend checking out our list of the best online credit card processors. This will give you the rundown on some of the best options in the industry. If you want to learn a bit more about online payments before you get started, our article How To Choose An eCommerce Merchant Account is another great resource.
The post Everything You Need To Know About eCommerce Payments appeared first on Merchant Maverick.
So you’re looking to take advantage of everything that online commerce has to offer and enter the world of ecommerce? Good for you! Of course, this will require you to be able to accept online credit card payments. To do this, you’ll need an internet merchant account.
Sounds simple enough, right? If only! Not all merchant accounts are created equal. When choosing an internet merchant account for your ecommerce business, you’ll need to understand how a merchant account interacts with the other elements necessary for selling online, like payment gateways, payment processors, and shopping carts (not the kind you push around). Some services combine one or more of these elements, but it’s still important to distinguish these elements from one another.
Confused yet? Don’t worry — we’ll spell it all out for you!
What Is A Merchant Account?
A merchant account is a specific type of business account into which your customers’ money is deposited after they use their credit or debit card to make a purchase from you. After these payments are verified, the money is transferred to your own business bank account, which is entirely separate from your merchant account. You have no control over the merchant account — it is merely the middleman between your customers’ money and your business bank account.
So, why include this middleman at all? Wouldn’t it be easier to simply accept credit and debit card payments directly and get the funds deposited directly into your business bank account?
Unfortunately, credit card processing doesn’t work that way. When your customer pays you, the transaction ultimately still involves two other major parties: the issuing bank (which grants the customer cards and is responsible for collecting any payments from the customer) and the acquiring bank (which requests and then collects payments from the issuing bank and then releases them to the merchant). Because the payment process is so complicated — the acquiring bank has to ask for the funds from the issuing bank, which has to verify that the customer has those funds available and then transfer them — the merchant account essentially functions as a holding space or even as a sort of line of credit.
Merchant Account VS Third-Party Processor
When selecting a service to process your customers’ card payments, you’ll be choosing from between two different categories of services: direct processors (the providers of merchant accounts like the kind described above) and third-party processors (also called aggregators) like PayPal, Stripe, and Square.
Read our Review
Setting up an account with a third-party processor is simpler and less time-consuming than setting up a merchant account. This is because third party processors don’t set you up with your own unique merchant account. Instead, the third-party processor aggregates all of its merchants into one enormous merchant account.
What do these differences mean for you, the merchant? For starters, the merchant accounts offered by direct processors typically provide you with a higher level of account stability. This is due to the extensive underwriting and risk assessment you have to undergo to get your merchant account. With third party processors, you are subjected to very little underwriting beforehand. Therefore, the processor scrutinizes your activities much more intensely, making it more likely that you’ll experience an account hold or termination.
The flip side of this is the cost advantage of third party processors. These services typically feature flat-rate pricing and pay-as-you-go agreements. There are few (if any) monthly or annual fees to pay, and you don’t need to meet a monthly minimum in card transactions, making it easy to start taking credit card payments with no established business history.
With direct processors, you’ll be paying monthly and potentially annual fees, you’ll need to be processing at least $5,000 to $10,000 per month in card transactions, and the pricing is not normally flat-rate — your rates may vary depending on the nature of your business model and your industry. Many merchant accounts still require you to sign a multi-year contract. (That said, many of the best processors in the industry have done away with these 3-year contracts and early termination fees in favor of month-to-month agreements, and we recommend that you not settle for a multi-year contract until you’ve explored all your options.) Still, above that $10,000/month mark, merchant accounts do offer cost savings and as your volume increases you’ll qualify for even more discounts.
For more on third-party processors and how they stack up against traditional merchant accounts, check out these articles:
The Best Online Credit Card Processing Companies
The Truth About Third-Party Payment Processing
What’s A Payment Gateway?
We’ve established what a merchant account is, so let’s move on to payment gateways.
While a merchant account is the account into which your payment processor sends your customers’ payments before they are transferred to your business bank account, a payment gateway connects your online store to your payment processor, facilitating your customers’ online transactions.
Payment gateways enable online transactions like so: the gateway integrates with your ecommerce store to securely capture the payment details for customer transactions. The gateway then routes that information to your payment processor or acquiring bank, which assumes control of the payment process. The gateway will then send an approval or decline message back to the merchant based on whether or not the processor/acquiring bank accepts the payment.
When you use a third-party processor, a payment gateway is typically included in the service. With direct merchant accounts, a gateway service may or may not be included for an additional fee. Some processors do offer gateways as part of their services, at no additional cost. Ultimately you’ll need to check with the processor to find out.
PCI Compliance With Online Merchant Accounts
What is PCI compliance, and how do you achieve it?
PCI compliance refers to a set of safety practices established by a council (the Payment Card Industry, or PCI) sponsored by the major credit card companies to ensure that a consumer’s payment information is secure when making a purchase using a credit or debit card. These standards, which apply to all businesses that accept credit and/or debit cards, are meant to standardize the securing, processing, and transmission of cardholder data.
If your merchant account provider deems you to be PCI non-compliant, you’ll be subject to a PCI non-compliance fee of around $30 per month until your account is compliant. What’s more, if your non-compliance results in a data breach, you can be fined anywhere from $5,000 to $500,000!
You’ve probably gathered by now that it’s a good idea for your business to be PCI compliant. For most small businesses, that means being Level 4 PCI compliant. Level 4 is the PCI standard that applies to businesses up to a certain size — it’s essentially the lowest bar to clear. Larger businesses must comply with higher PCI standards, with Level 1 standards applying to both the largest businesses and businesses that have suffered a data breach.
When choosing a payment processor, you’ll want to make sure your provider offers features such as PCI compliant processing hardware and software, quarterly network vulnerability scans, and assistance with completing and filing a Self-Assessment Questionnaire (SAQ).
Most third-party processors handle the entire process of PCI compliance for you, but with a merchant account, you should be expected at minimum to have to complete the SAQ.
If you’re running a brick-and-mortar business with no ecommerce component, you might think PCI compliance has nothing to do with you. However, if your business accepts credit cards, it almost certainly utilizes the internet to do so at some point in the process, so you’ll still need to be PCI compliant. It’s easier for physical-only businesses to establish PCI compliance than it is for online businesses, though.
Some PCI best practices are no-brainers. For instance, you don’t want to store your customers’ card data on your own hard drive or server, you should never use default passwords, and you’ll need to use a firewall on your network and computers. There’s more to PCI compliance than these obvious measures, however. For a detailed explanation of what PCI compliance means for your business, I highly recommend reading our comprehensive article on the subject, The Quick Guide To PCI Compliance For Small Businesses.
How Much Does An Internet Merchant Account Cost?
When choosing a merchant account, it’s important to know the different pricing models offered by payment processors:
Flat-Rate Pricing: This pricing model has the advantage of being predictable. You’ll pay a fixed rate for each transaction, making it easier to predict your processing costs. While you’ll usually pay more on a per-transaction basis than with other pricing models (and you donât know how much the processor is making off a transaction), you probably won’t have to pay monthly fees or other types of fees charged by processors offering other pricing models. Third-party processors like PayPal, Square, and Stripe use this pricing model. To learn more about flat-rate pricing, check out our flat-rate credit card processing explainer.
Interchange-Plus Pricing: Also known as cost-plus pricing, interchange-plus pricing is the pricing model preferred by Merchant Maverick. Why? Because it’s the most transparent model and it makes rate comparisons between processors easy. With interchange pricing, the processor passes on the interchange fees (fees charged to the merchant’s bank account and paid to the bank that issued the card) and assessments (fees paid directly to Visa or Mastercard etc.) while charging a small markup above that (often a percentage and a flat fee). Check out this article for more on how interchange-plus pricing works and why we prefer it.
Membership Pricing: This is the pricing model used by subscription-based payment processors like Fattmerchant and Payment Depot. Under this pricing model, you’re charged a single monthly subscription fee instead of the assortment of fees other pricing models feature. You’ll also likely pay a flat fee of between $0.08 and $0.15 per transaction as well as interchange fees. Higher-volume businesses can find themselves saving money under this pricing scheme.
Read our Review
Tiered Pricing: Tiered pricing is an older pricing model not commonly used by modern businesses. We don’t recommend it. All transactions are grouped into two or three tiers of transactions, ranging from the lowest-priced transactions to the highest-priced transactions. Essentially, the problem with tiered pricing is that processors can categorize transactions assumed to be in a lower-priced tier as higher-priced transactions, thus charging you more and leaving you little recourse. You should avoid tiered pricing arrangements.
For most small businesses, using a third-party processor with flat-rate pricing like Square or PayPal may be more affordable than using a full-service merchant account. Of course, this entails a much greater risk of having your account frozen or terminated, which is, in itself, a very costly thing to happen to any business.
One thing that affects what your internet merchant account will charge you is the fact that CNP (card not present) transactions, including online purchases, cost more to process than do in-person transactions. This is due to the fact that the chance of chargebacks and fraud is higher with transactions where the card is not present, and this is factored into the cost of processing the payment.
Other fees you may (or may not) have to pay include PCI compliance fees, payment gateway fees, and fees for ACH acceptance if you want to offer customers the ability to pay with their bank accounts in addition to cards. To learn more about the complex and relatively opaque world of internet merchant account pricing, read through our Complete Guide To Credit Card Processing Rates & Fees.
Features To Look For In An Internet Merchant Account
Let’s go through some of the features that may be included in your internet merchant account package.
One benefit of third-party processors like Square is that a payment gateway is included as part of the service so you won’t have to go looking for one yourself. Of course, third party processors have their drawbacks as well, so you’ll be glad to know that some direct processors include a payment gateway in their services as well.
Remember, if you plan to do business online, whether it be through selling goods, offering SaaS, or what have you, you’ll need to be able to accept online credit card payments. To do that, a payment gateway is an absolute requirement.
Multiple Payment Methods
We’ve established that you’ll want to be able to accept credit and debit cards. However, there are other payment methods your customers may want to use, and you want to be able to accommodate them. From mobile wallets like Apple Pay on the web to ACH payments, the more payment methods your payment gateway (and payment processor) supports, the better.
Global Payment Support
With some merchant accounts, you can only accept payments in USD. If you expect to be able to attract any international business, that’s obviously not going to be good enough. Thankfully, many merchant account providers can set you up with a multi-currency ecommerce merchant account so you can expand your global reach. Just be aware that you’ll likely pay currency conversion fees (if they aren’t passed to your customers). PayPal and Stripe do very well in this regard, and Stripe actually supports many localized payment methods across Europe and Asia.
As an added note — some processors offer a feature usually referred to as dynamic currency conversion or localized currency displays. This means that your website will automatically convert the price from USD (or your default currency) to whatever currency is most common in the customer’s region. This can improve the shopping experience for international customers and potentially increase your sales.
Included Shopping Cart (Or Other Software)
An online shopping cart integrates with your website to facilitate ecommerce. The shopping cart enables your customers to look through your available products, select different options for each product (size, color, etc.), select the quantity of the products they want to order, and more.
Most merchant accounts can be integrated with major shopping carts, but if you can find one that includes a good shopping cart already, that’s even better, as you’ll be saving money.
Other handy features to look for include a customer credit card vault that allows you to securely store your customers’ card information while keeping it off your own equipment and subscription tools that let you create and manage customer subscriptions. Stripe is an example of a processor with built-in subscription tools and a card vault. However, you can also opt for a third-party provider to get recurring billing functions.
Processors with integrated developer tools, like Stripe, allow developers to use APIs (application programming interfaces) to integrate the payment platform using a variety of different programming languages. For the business with developer talent, integrated developer tools can help you build custom solutions for your ecommerce outfit.
Good customer service and availability is critical in an internet merchant account. Your ability to do business is reliant on all your systems working correctly 24/7, so reliability and quick response times are crucial. Do some research on merchant account providers to weigh the experiences of other merchants when dealing with any issues that pop up, and make sure that the available support channels jibe with your preferences.
How To Choose The Right Provider For You
That was a lot to take in, wasn’t it? If you’re feeling overwhelmed, don’t worry! Merchant accounts are Merchant Maverick’s original specialty, and we’re here to help you delve into the nitty-gritty of merchant account pricing, features, and provider options.
Here are some links to help you learn more about merchant account options, features, and more:
The Best Online Credit Card Payment Processing Companies
How To Choose An eCommerce Merchant Account
The Complete Guide To Online Credit Card Processing With A Payment Gateway
How To Accept Credit Cards Online
The post The Complete Guide To Finding An Internet Merchant Account appeared first on Merchant Maverick.
When it comes to payment processing, security matters. After all, every time you handle a credit card, your customer is trusting you with their financial information. By now, you have probably come across the term PCI compliance on your monthly processing statements, and you know it’s a data-security related term. A little digging on the internet reveals that PCI compliance is complicated and the subject matter is full of acronyms and industry jargon.
One term often associated with PCI compliance is cardholder data. Even though the term is a small part of the overall PCI compliance scheme, it is a fundamental building block term. Understanding what cardholder data encompasses will help you navigate more smoothly as you learn more about the complicated world of PCI compliance.
Each of these companies provides excellent customer service and fair pricing.
See more data
What Does Cardholder Data Include?
Even from its plain meaning, cardholder data suggests that the data includes information on both the front and the back of a credit or debit card. Formally, cardholder data is defined as:
The primary account number (PAN).
And may include:
Other sensitive authentication data used to authenticate cardholders and/or authorize payment card transactions, including, but not limited to, card validation codes/values, full track data from the magnetic stripe or chip on a card, PINs, and PIN blocks.
Cardholder data, therefore, could include most of the information on the payment card itself, whether plainly visible like the PAN or stored in the magnetic strip or on the chip of the card.
Cardholder Data & Maintaining PCI Compliance
Knowing the definition of cardholder data is one thing, but this knowledge is useless without understanding how cardholder data fits into the overall scheme of PCI compliance.
Basically, cardholder data includes all the information on a credit or debit card thatâs needed to transfer money from one party to another. Unfortunately, where there is money, there are thieves. So, some years ago, the larger credit card companies banded together to form the PCI Security Standards Council. The Councilâs job is to formulate data security rules and best practices so that the storage and transmission of credit and debit card information from the cardholder to the merchant to the banks — and everywhere in between — can be secure.
How Cardholder Data PCI Compliance Rules Affect Merchants
As a small business merchant, not all of the PCI compliance rules apply to you. For the rules that do apply, failure to follow them means getting a fine, usually from your processor. However, note that there are other country- or state-specific data security and privacy laws that might apply to merchants as well. Often, the laws require the holder of the information to take reasonable steps to keep the information safe. Failure to comply with the laws often results in a fine, but sometimes can result in heavier punishments like an injunction. Since the PCI Security Standards Councilâs rules are typically more stringent and detailed, it is easier for a merchant to simply follow the PCI Security Standards Councilâs compliance rules and best practice suggestions. Requirement 3 of the Payment Card Industry’s Data Security Standard (PCI DSS) specifically addresses cardholder data.
Different Rules For Storing Or Not Storing Cardholder Data After A Transaction
There are several ways a merchant could choose to handle cardholder data. As a threshold matter, we assume that you already use PCI compliant card readers, point of sale terminals, and encryption software for transmitting the cardholder data to your processor.
A customer might pay in person, pay over the phone, or pay through a web interface. As long as you do not keep the cardholder data on file (whether stored electronically or even just temporarily scribbled on a piece of paper), then you are in compliance with PCI requirements for cardholder data. If, however, you do wish to keep cardholder data on file so you can, for instance, provide your customers a faster checkout, then there are additional PCI rules and best practices you must follow.
To keep the cardholder data on file, a merchant has two basic choices: keep the cardholder data in a computer system at the business (all the while making sure everything is PCI compliant), or hire a third-party service to keep the data on their server while only keeping a token at the business.
With the former, the merchant must follow additional complex requirements for both hardware and software set out by the PCI Security Standards Council. Typically, this method is only employed by larger businesses that have the money and personnel to maintain the hardware and software. With the latter, it is possible to keep the cardholder data with a third-party service provider that is already PCI compliant. Rather than the cardholder data, you only keep a token that can eventually be matched to the cardholder data. Recently, credit card tokenization has become a more popular choice because a token is not cardholder data so is not subject to the same PCI compliance rules as cardholder data.
Protect Cardholder Data With Tokenization
We have an article explaining the details of tokenization, but, briefly, payment card tokenization is a process that takes the cardholder data and assigns it a random series of numbers and (sometimes) letters called the token. The cardholder data is stored in a highly secure electronic vault using PCI compliant hardware and software. Only the owner of the vault has the ability to match the token with a specific cardholder data.
As a business owner, all you have stored in your system is the token. In order to access the rest of the payment card information, you must send the token to the vault holder to retrieve the actual cardholder data before sending the information onward for further payment processing. If you experience a data breach, then all you have to do is notify your storage company so they can assign new tokens to you. The cardholder data should be secure as long as you quickly find and notify the storage company of the breach.
From a practical standpoint, with tokenization, you wonât have to worry about PCI compliance because you donât have the cardholder data on your premises. All the encryption and data security required to be PCI compliant are farmed out to a third party, leaving you time to concentrate on running your business.
Protecting Cardholder Data Protects Your Business
If you are a merchant who accepts credit or debit cards, then you will be handling cardholder data. If you wish to store this information, both industry rules and public laws require you to handle this information in a highly secure manner and in very specific ways. Failure to protect cardholder data could subject you to fines or even harsher penalties under the law. Not only that, because the law requires you to report data breaches and notify your customers, you would have to fight the bad publicity associated with such a breach, and your business’s reputation will suffer. Protecting cardholder data, therefore, translates directly to protecting your business.
Fortunately, there are payment processors and third-party tokenization providers who can help you simplify PCI compliance and make it easy for you to protect cardholder data with secure, easy-to-use software. Reputable payment processors and tokenization providers are also mindful of their own practices on who can access cardholder data and stand behind their practices.
Whatâs your experience with handling cardholder information? Do you keep the information in-house, or do you take advantage of third party storage services?
It’s safe to say that nothing is ever free in payment processing (and if it claims to be, you should be very suspicious). But trying to understand why some types of transactions cost more than others to process can be aÂ confusingÂ and sometimes overwhelming process. For example, why does Square charge 3.5% + $0.15 for keyed transactions and just 2.75% for swiped, dipped, and tapped transactions, even though they both go through the Point of Sale app? Why do invoices and online orders cost more than payments processed with a POS app and credit card reader? The answer is that itÂ matters whether a transaction is deemed “card-present” or “card-not-present” (CNP)Â — in fact, it is a critical factor in payment processing costs.
A card-not-present sale is any transaction where the cardholder does not present their card to the merchant. While that general definition may seem pretty cut and dry, the reality is a bit muddier. Hereâs what I mean: Even if your customer takes out their physical credit card, the transaction is not considered a âcard-present saleâ unless they actually swipe, dip, or tap it. Manually entering a card number throws the transaction into card-not-present territory.
And when a customer taps a credit card terminal with their phone at a coffee shop? That transaction is actually considered a card-present sale even though the merchant technically never sees a physical credit card!
Confused? Donât worry. Keep reading; below, we’ll break down some more examples of card-not-present transactions and help you understand why they cost more to process. We’ll also talk about what â if anything â you need to change in your payment processing setup to protect your business.
The reality is, whether you have a brick-and-mortar store or you run an eCommerce business, you need to understand how CNP transactions affect your business, your customers, and your bottom line. Thereâs much more than meets the eye when it comes to distinguishing from a card-not-present and a card-present transaction, including how much it costs you and the security risks involved. Letâs dive in!
Card-Present VS Card-Not-Present Transactions
Let’s start by talking about what a card-not-present sale actually entails. Once we do that, these transactions will be a little easier for you to identify (and help your sales team navigate the whole issue as well.) A card-not-present sale is any sale processed that does not capture the electronic data of the card at the time of the sale. Â
Itâs not always super cut and dry. Sometimes merchants donât understand that being handed a credit card doesnât automatically qualify the transaction as a card-present sale. It all depends on how it is processed. For instance, say you are at a festival and decide to buy one-of-a-kind art from a vendor. You hand her your card, and she breaks out a little manual machine and makes a carbon copy. Even though you physically handed the vendor your card, this still counts as a card-not-present transaction. No electronic data was captured.
Another example involves Visa and Apple Pay. You can consider any in-store purchase made with Apple Pay a card-present sale, but any payments made using Apple Pay in-app are considered card-not-present. Thatâs because when a customer uses a digital wallet by tapping or scanning a QR in the store, the electronic data of the card is captured in real time. In-app purchases do not capture the electronic data at the time of the sale.
For the most part, the main thing to understand is that transaction categorization ultimately boils down to whether electronic data was captured.
Common Card-Not-Present Transactions:
Invoicing a client
eCommerce / online shopping
Recurring payments that are automatically billed (subscriptions)
Common Card-Present Transactions:
Countertop credit card terminals
Tapping or scanning digital wallets
Swiping via a card reader on a tablet or smartphone (e.g., Square)
If your revenue depends on processing payments with anything other than a POS app and credit card terminal or mobile card reader, it is worth your time to understand how to keep your transactions safe. Processing credit cards costs money whether you process in person or online, but you will face slightly higher fees for processing card-not-present transactions.Â
Understanding The Cost Of Card-Not-Present Transactions
Why are you charged more for card-not-present transactions?Â It’s pretty simple, actually. Card-not-present transactions cost more because there are simply more ways for them to fail. From chargebacks, friendly fraud, and malicious fraud, there is more vulnerability and subsequent cost when things go wrong.Â Â Granted, all credit card processing poses some risk — that’s why businesses have contracts with processors, and why high-risk merchant accounts exist. It comes down to which methods of payment processing (and sometimes even which businesses) present the most risk.Â
With a merchant account that offers interchange-plus pricing, you will pay a higher interchange rate for card-not-present transactions because the card networks want a return in exchange for accepting some of the risk. Even third-party processors, which don’t overtly pass interchange costs directly to you, still build the costs in by adding a markup to their base rate.
It’s also important to understand that not all card-not-present transactions pose the same risks. For instance, you are generally going to pay a higher cost for a keyed-in entry than for an online transaction because there are typically some built-in security measures (like address and CVV verification) for online purchases, whereas there are no security measures for keyed transactions.
Want to know more about how credit card processing works? Check outÂ The Complete Guide to Credit Card Processing Rates & FeesÂ for an in-depth look.Â
Below we talk more about card-not-present fraud and what you can do to protect your business.Â
The Cost Of Fraud
Unfortunately, when it comes to CNP sales, the industry is currently seeing an increased rate of fraud for online transactions. The rollout of chip cards and the EMV liability shift in the US for card-present salesÂ actually plays a major role in the increase of card-not-present fraud, and it’s something that financial experts predicted would happen based on EMV adoption in other parts of the world.
While we certainly donât want to strike fear or dread into any of our readers, the fact is that card-not-present transactions make you more vulnerable to fraud because the physical card data canât be verified. Not only can a card data breach turn into an embarrassing public relations issue, but the business owner is ultimately responsible for absorbing the cost of any fraudulent charges in a card-not-present sale.
A recent press releaseÂ from LexisNexis demonstrates that the cost of fraud is rising. Last year, every dollar ($1) of fraud cost a merchant $2.77. This year, it’s predicted to cost $2.94 on average. And if you are in the digital space, the cost is even a bit higher.
Small businesses need to stay on guard just as much as any medium or large business. The unfortunate fact is that fraudsters are looking for vulnerabilities like outdated data security practices, and small businesses are very likely to be targeted.
There are some very sobering statistics from UPS Capital:
Nearly 90% of small and medium-sized businesses in the U.S. donât use data protection for company and customer information.
Less than half have secure company email processes to prevent phishing scams.
60% of smaller businesses are out of business within six months of suffering a cyber attack.
It is vitally important to be aware of the risks and know how to protect yourself.
Read on to learn more about fraud and what you can do to protect your business if you accept card-not-present transactions.
Protecting Your Business From Fraud
Taking a proactive approach to preventing fraud is a smart move. In this post, we focus on understanding the risks and cost of card-not-present transactions, but card-present sales are certainly not exempt from fraud. If your business processes both types, check out the Merchantâs Guide to Preventing Card-Present FraudÂ for a great breakdown of information on how to protect your business from card-present security issues.
Your first defense against fraud will always be PCI compliance. PCI DSS is an acronym for Payment Card Industry Data Security Standard, which dictates the industry-standard procedures and security measures a business needs to make to protect customer data.
The good news is that unless you are dealing with homegrown software for your payment processing system, you are likely operating with PCI compliant equipment and software. Thatâs because all payment processing software and equipment vendors go through a strict certification process to ensure their products meet industry standards for security.Â
That being said, you still need to take the time to read your contract and understand if there are any steps you need to take to ensure continued compliance.Â Third-party payment processors such as Square are automatically PCI compliant and do not require you to do anything specific to maintain compliance — at least not as far as the contract is concerned. (As a general rule, you should keep yourself informed on PCI compliance and what constitutes a suspicious transaction that could get your account flagged for fraud.)Â
With merchant accounts, PCI compliance is a lot more varied and partially depends on whether you use the provided software or integrate with a third-party. You may be obligated to complete a scan or assessments, or potentially much more depending on your payment processing setup.
The key takeaway is this: PCI compliance is never a one-time event. Assessment, remediation, and reporting is a continual process with best-practices changing each year. Even if your processor doesn’t require you to do anything to maintain compliance, it’s important to make sure you know what security best practices are.
According to the PCI DSS Quick Reference Guide, some habits can put you and your customers at risk for fraud.Â Within the guide, the PCI cites activities that are common across the board in all types of U.S. and European businesses (page 4):
81% store payment card numbers
73% store payment card expiration dates
71% store payment verification codes
57% store customer data from the payment card magnetic strip
16% store other personal data
Let’s break down that first statistic. The majority of business owners store their customers’ credit card numbers. But where?Â Unless you’re using PCI compliant software with a secure credit card vault, you could be exposing yourself to risk and liability â big time.Â
Following best practices and keeping yourself up-to-date with PCI compliance is one of the most important things you can do to prevent fraud.Â Another thing to remember is that it is up to you to ensure your team knows what not to do, too. A retail employee who keys in the majority of her transactions may be helping others commit fraud — or she may simply have trouble getting the credit card terminal’s card readers to work. But you won’t know until you check up on her.Â
Once your bases are covered with PCI compliance, you can rest easy knowing that your legal and liability concerns have at least been reasonably mitigated.
Additional layers of security may be worth looking into as well, especially if your livelihood involves online sales
Address Verification System (AVS):Â This system checks to see if your customerâs address is the same as the person who owns the credit card. Verifying the billing address or zip code against Visa or MasterCard billing information of the cardholder can prevent misuse and protect your business from fraud.
CVV Checks:Â A CVV check requires your customers to enter in the additional three numbers at the back of the card (four digits for American Express). Since this information can be stored (and also stolen), it alsoÂ makes sense to require customers to re-enter the card code whenever there is an unrecognized device or change to a shipping address.
3-D Secure: This provides an extra layer of security for online transactions. If you have heard of MasterCard SecureCode, Verified by Visa, or American Express Safekey, then you are familiar with 3-D Secure. MasterCard SecureCode, for instance, requires a PIN code to be entered into an inline window that is securely hosted by the issuing bank. The code is never shared with you directly. This authentication step is designed to reduce your liability and improve security. Many processors that cater specifically to online businesses, such as Stripe, offer 3D Secure bundled with their services.
Fully grasping the nuances of credit card processing can be difficult. However, itâs definitely worth taking a bit of time to understand how and why card-not-present transactions are different from card-present payment processing.
Even merchants who run brick-and-mortar shops have to deal with the cost of CNP payments. If you have a storefront shop, taking the time to train your team to spot the difference between the two types of transactions and keeping up with the latest compliant software/EMV readers will go a long way towards keeping your costs down âand your payment security tighter.
If you run an online business, your focus should be on making sure you have the appropriate security measures enabled with a good payment processor â preferably one that does the bulk of the work for you!Â At the end of the day, you will take the hit from chargebacks and fraud if you donât have the right protections.Â
Shopping around for eCommerce businesses solutions? ReadÂ How To Choose An eCommerce Merchant Account.
The post What Is A Card-Not-Present Transaction? appeared first on Merchant Maverick.
We donât typically think about what happens in the moments after we swipe our debit and/or credit cards. More often than not, we simply run or insert our card into the credit card machine and hope that the cashier doesnât use the next few moments to initiate small talk. The number in our checking account decreases or the number on our credit card bill increases, and that’s all we care about.
But, to the business owner, credit card processing is exceptionally important and it can play a huge role in your bottom line. Thereâs a lot of information to take in if youâre a novice when it comes to credit card processing, and youâll need to decide what elements are most important to your business. Do you need mobility when accepting payments? Will you be accepting transactions online or over the phone? What security measures should you be taking to protect both your business and your customers? What companies are highly rated or come heavily recommended?
Weâll try and answer the bulk of your questions about credit card machines and terminals below.
Credit Card Machines
Credit card technology has evolved rapidly over the years. It doesnât seem like that long ago when the process involved a terminal with just the option for credit. Then came debit cards. As the internet became the worldâs go to for conducting business, the processing game had to change as well. Now, merchants can take payments with readers connected to their phones or tablets — they can even accept payments remotely without the physical card present. This has created a need for increased security which has led to encryption technology and the relatively recent advent of the EMV chip card.
Before we get into that, however, letâs start with some basics about credit card transactions. You have, no doubt, used hundreds of different types of card readers throughout your illustrious tenure as a consumer. But what happens once your cardâs magnetic strip has been read? In simple terms, there are three phases involved in actual processing:
Authorization:Â Once your card is scanned, its information is sent over with a request to be processed. The processing request is then sent to the company of the cardholder (VISA, Mastercard etcâ¦). The company sends the request on to the issuing bank. If there are enough funds in the account, and if the card is registered as valid, the purchase is approved. All of this takes place in a matter of seconds, generally speaking.
Settling:Â After a transaction has been approved, it is forwarded on to be cleared via an interchange. When the request is received, a credit is given to the merchant for the amount of the sale. The bank will then issue a statement to the customer in that amount which the customer must then pay off.
Funding:Â So far in the transaction, no actual money has changed hands. After the card has been authorized and the credit is issued, the payment company then makes a deposit into the merchantâs checking account. These funds can generally be accessed in just a few days.
In order to accept these forms of payment, you will need some type of card reader. Your options here have also evolved rapidly in the past couple of decades. The most common type of credit card machine is still the stationary card terminal. This is a machine that needs a physical connection either to a phone line or to the internet in order to process physical cards.
The next type of machine, and one that is rapidly gaining in popularity, is the wireless processor. These often look very similar to a stationary device, using a magnetic strip or chip reader to take a customerâs card information. However, these devices only require a wireless connection, making them far more versatile and mobile for merchants (albeit with slightly higher security concerns).
Finally, you can also accept payments via a virtual terminal, something we’ll get into more thoroughly a little bit later. In short, virtual terminals allow you to take a customerâs card information without that card being physically present.
Of course, within these different machines, youâll have some other hardware choices to make. One item you may want to look into is a PIN pad. With this device, customers can manually type in their debit card password to process a payment. Debit cards with either a VISA or Mastercard logo can be processed almost identically to credit cards. However, with a PIN pad, aÂ transaction that is specifically run as debit usually costs the merchant a smaller fee. This ends up saving you a lot of money in the long run, particularly on large transactions.
Some point of sale systems have this technology built-in, allowing customers to enter their PIN numbers on a touchscreen. PIN pads encrypt a customerâs information, giving an inherent level of security on those transactions. As previously mentioned, you donât need a PIN pad to run these types of transactions. A signature debit card is processed just like a credit card, but the money comes directly from a customerâs checking account. However, in most instances, the merchant is still charged the same rate as if the transaction was run as credit.
One of the more recent changes in the world of credit card processing has been the introduction of the chip card. EMV (which stands for Europay, Mastercard, VISA) is a method of payment based on a standard for cards and machines that is meant to dramatically reduce the possibility for fraud when it comes to credit card payments. EMV cards store data in a chip within the card that is scanned when it is âdippedâ or inserted into a card reader or payment machine. Companies have been steadily trying to meet EMV standards and the majority of processors and point of sale companies are now EMV compliant or claim to be in the process of becoming compliant in the near future. VISA and Mastercard have also issued standards for card-not-present transactions as a way to increase security measures in the world of eCommerce.
Itâs difficult to predict what the future will look like when it comes to payment processing, but one trend that seems like a near sure bet is that consumers will continue to seek out convenience. This means that services like Apple and Android Pay will probably continue to spike in popularity. Given society’s increased dependence on iPhones for everything from communication to driving directions, the ability to pay with oneâs phone is something all companies will want to make sure they can handle — sooner rather than later.
Looking for a credit card machine for your business? Buy, don’t lease!Â
What is a virtual terminal? Let’s delve in deeper to get a sense of whether or not itâs a solution your business needs. Virtual terminals are online applications that allow customers to input credit card information directly online to then be processed electronically. These terminals allow for transactions to be processed evenÂ when a credit card is not physically present. This can be an ideal solution for any business that is highly mobile or conducting transactions remotely with clients.
Many companies,Â including PayPal and Helcim, offer the ability to use a virtual terminal for payments. The implementation process is exceedingly simple. Generally, for a small, monthly fee, your processor can give you the ability to enter payment information from pretty much anywhere with an internet connection. Most companies will offer a percentage rate and a flat fee for virtual terminal transactions. This fee is often slightly higher than it would be for a typical transaction as card-not-present transactions have a slightly higher risk of fraud.
With PayPal, for example, all you need is a phone, tablet or computer and you can quickly log in to your account and go to the virtual terminal setting. This leads you to a screen similar to one you would see if you were entering your own information online for a purchase. Once the information is entered, youâll receive confirmation.Â
This simplicity and flexibility has made the virtual terminal an increasingly popular way for businesses of all types — not just mail order or eCommerce businesses — to accept payments. An increasing number of companies are now also offering USB card readers that connect directly to your terminal. These automatically take the card information and run it through your virtual terminal, keeping your transactions in the same location but charging you a lower rate since the card is present at the time. Some of these same companies offer pads which can collect customer signatures in the same way. Even with an external card reader, virtual terminals are usually not designed to accept advanced payment types, like contactless payments, from mobile wallets such as ApplePay. If you want to accept contactless payments, you’re better off getting a standard NFC-enabled credit card machine or credit card reader.
Virtual terminals can also take automated clearinghouse (ACH) payments for one-time or recurring transactions. These payments are processed in bunches, meaning the payment is usually received a little later. However, you arenât subject to interchange fees for these payments.
Obviously, when making or accepting payments where credit card information is simply entered online, security is going to be of the utmost importance. It is highly recommended that you choose a payment provider that encrypts credit card data; this both reduces the risk of theft and the scope of the Payment Card Industry (PCI) compliance.
From there, you will generally have two options.
You can choose a non-validated solution which can cut down the risk of having data stolen. This is an affordable option that is offered by most processing companies, though these solutions are not defined as secure by the PCI. In other words, there is an increased chance that hackers could gain access to encryption keys which could eventually lead to a data breach.
The other option is a PCI point-to-point (P2PE) provider which meets all of the PCI standards and includes secure hardware. Processors that provide this level of protection must accept Merchant P2PE Implementation Responsibilities. Because of this added security, a much smaller number of processors offer this service (although that list is growing). If you are set on providing increased security, you will need to make sure you have hardware that meets these standards — you will also have to submit to regular security check-ups.
When we talk about merchant services, what exactly do we mean? In simple terms, ‘merchant services’ is a broad term to describe the hardware and software products that make it possible to accept credit and debit card transactions. TheseÂ companies and services help to connect the issuing bank (the bank that gave your customers their credit cards) and the merchant bank (the bank that is behind your merchant account). In the last couple of decades, this term has expanded to include much more than just your standard terminal scanner. The internet has opened the door for payments to be made online and those purchases can be tracked and managed from your computer or mobile device.
Merchant services providers are any businesses which accept payments (aside from just cash and checks). These can include credit and debit card processors, point of sale terminals, analytic software etc.Â There are a handful of different kinds of merchant services providers, including:
Merchant Account Providers:Â These providers can set you up with a merchant account and services that allow you to collect your money following a debit or credit card transaction. Some larger companies also come with direct processing services.
Payment Service Providers:Â Even though itâs advisable, itâs not essential to have a merchant account to process payments. Payment service providers, like the ubiquitous PayPal, donât give you an ID number and are popular because they generally do not come with account fees or long-term contracts. These accounts can be frozen, sometimes without notice, and customer service can be sketchy. However, for smaller or seasonal businesses, payment service providers are a popular choice.
Payment Gateway Providers:Â Payment gateway providers represent a service provider that has emerged with increased popularity of eCommerce. These providers may or may not come with a merchant account. Some give you a choice of using their own merchant account or using a gateway with an existing account. Others only offer a gateway service, meaning youâll have to have a merchant account from a third party.
When youâre looking at various card processors, there are a few things that you should keep an eye on. Perhaps most importantly youâll want to research the companyâs reputation. Processing payments is a crucial aspect of your business and an unreliable company can give you a lot of headaches (and affect your bottom line).
Youâll also want to compare the costs and potential fees that various processors implement. Square, for example, charges no monthly fee, which is yet another appeal for smaller or mid-sized companies. However, they also implement a 2.75% fee on transactions — if your business takes off and youâre suddenly processing a high number of transactions, those fees will add up and quickly wipe out any savings youâre receiving from not paying a monthly fee.
Youâll also want to doublecheck the compatibility of your processor. If, for instance, youâve found a point of sale system that you are comfortable with, youâll want to make sure that the processor integrates seamlessly without additional costs. If youâre forced to set up an aforementioned gateway, you could end up paying a large monthly fee.
To enable transactions, merchants will have to fill out an application. If youâre opening a merchant account, this process can take a little longer than going through a third-party processor. One of the reasons smaller and mid-sized merchants lean towards a third-processing account like Square is that you can be up and ready to take payments almost immediately. The price for that instant gratification, however, is an increased likelihood for potential account freezes later on.
When youâre in the process of picking out a processor, youâll also want to pay close attention to transaction fees. The best merchant account providers usually offer what is referred to as interchange-plus pricing. This means that the provider takes the wholesale cost of the transaction and tacks on a small, standardized markup. This ensures an affordable and transparent pricing plan. It also means a slightly higher rate for transactions when a card isnât physically present since those transactions have a higher frequency of fraud. Third-party processors sometimes provide a flat rate for all transactions — this is convenient and offers a simple way to quickly figure out your fees. However, it may not be the most cost-efficient in the grand scheme of things. A company like Square, which offers a flat rate for swiped and dipped transactions, also charges a slightly higher rate for key-in and eCommerce transactions.
There are a few other things youâll want to watch out for when finalizing your decision about a merchant accounts provider. Along with the potential for account freezes or funding holds, keep an eye on how businesses handle chargebacks (where customers dispute a charge) and fraudulent charges in general. There are ways to mitigate these dangers, of course. You can use fraud management tools, including things like address verification services. Using a chip card terminal also dramatically cuts back on fraudulent charges.
Here are a few of our most highly recommended processing companies:
Fattmerchant:Â Fattmerchant is one of the best companies for eCommerce transactions. Its pricing is transparent without undisclosed fees. There is also a 0% markup, meaning you pay only the wholesale cost plus the monthly fee and a small authorization fee. Fattmerchant also has terrific customer service.
Dharma:Â Dharma provides a full array of processing services and also has a simple, affordable pricing structure without hidden fees. They exclusively use the interchange-plus format and are a particularly good choice for non-profits, as they offer a discount to those companies.
Helcim:Â For slightly large companies, Helcim is a very strong option. While offering a wide range of services, they have extremely competitive rates for companies that process more than $2500 a month. They also have very strong customer service and their fee structure is transparent and easy to understand.
Square:Â For companies that donât provide a full-service merchant account, Square is the standard bearer. There is no monthly account fee and they offer free or low-cost readers. Square also doesnât force you to sign up for a long-term contract or charge you for early termination.
Your POS System
Another way to process payments is through your POS or point of sale system. Point of sale systems have come a long way, especially in the past decade. Today, you can virtually run your entire business from one, simple device. With the influx of cloud-based systems, you can make snap decisions and check the status of your operation from anywhere with a wireless connection.
With so many options available, and with point of sale systems offering more and more features all the time, choosing the correct system to meet your needs is an important decision. The first thing youâll need to decide is whether you want a system that is cloud-based or locally installed. Most companies have been moving toward cloud-based options for numerous reasons. First and foremost, itâs incredibly convenient. All of your data is automatically stored off-premise, so if something happens to your store or to your system, all of your payment, customer, and inventory information is still accessible. These systems are often extremely user-friendly as well, designed to be intuitive with very little training time needed. They tend to be sleek, modern, and visually appealing both to your customers and employees.
Many cloud-based systems also perform routine updates automatically, fixing bugs and adding new features so that you always have the most current software at your fingertips. Along these same lines, the best POS systems sync seamlessly to any number of integrations that can help your business in ways you may not have even considered before.
When youâre looking at purchasing a POS system, there are a number of factors to keep in mind. First and foremost, itâs likely that the cost of the POS hardware and software is going to play a large role. Some systems allow you to purchase your system and all necessary hardware upfront for a flat rate, allowing you to own the software. But if dropping a few thousand dollars isnât something youâre comfortable with, the majority of point of sale companies offer monthly rates. A few companies, such as Square, offer a free version of their software that is generally suited for small operations, though most other POS software systems run anywhere from $39 to $99 a month for basic services while often offering advanced packages with additional features.
Letâs talk about some features you can expect to find in pretty much any good, modern point of sale system:
Inventory Management:Â Not only can you view all of your stock on hand, you can set your POS to alert you when certain products are running low or, even more conveniently, you can set the system to automatically reorder products when they hit a certain level. This can be an enormous time saver and, in most systems, inventory management can be accessed remotely. You can set up quick transfers across multiple locations and, in many cases, create and print your own purchase orders.
Employee Management:Â Likewise, your staff is easy to track and manage from your centralized POS station. You can set permissions and create alerts for suspicious transactions to cut down on fraud. Employees can be given unique codes when they log into the system and can view their hours and current schedules.
Customer Management:Â Many point of sale systems come with their own built-in loyalty programs or integrate with other companies for a small monthly fee. But these days, your POS can help with so much more when it comes to analytics and marketing. Most systems allow for customer data to be stored and easily searched. Customers can look up their own loyalty points and control their own profiles in some cases. More useful for business owners, however, is the ability for the system to analyze what items are being purchased by certain customers, assessing buying habits and creating personalized marketing campaigns that can be implemented with ease, helping to maximize profits. The same can be done with coupons, targeting customers to boost repeat business.
You will also want to do your research to see what systems specifically cater to your particular business. For example, if youâre opening a pizza shop, you may want to look for a system with built-in features that makes online ordering simple, or functions that allows customers to create a custom order which is then automatically sent to the kitchen, freeing up your employees. There are also niche POS systems for specific types of businesses. Quetzal, one of our highest-rated systems here at Merchant Maverick, is built for the retail industry with a significant bent towards shoe stores.
Many POS software systems have their own app store, like Clover, or integrate with scores of apps that might help your business out tremendously. If youâre technically savvy, most POS providers also give you access to an open API, meaning that you or a developer can create your own apps within the software.
When youâre doing your research there are a number of other features youâll want to keep an eye on. Definitely check to see what features come in the form of add-ons which will increase your monthly fee. You will also want to make sure you have appropriate, compatible POS hardware. Several companies offer hardware packages that can be purchased directly through their websites.
A robust reporting feature should be available in most highly-rated systems and many offer their own eCommerce platforms, making it easy to set up your own website and sell online, all from your POS device.
Another key factor to research is what credit card processors are compatible with your system. While some offer a wide range of choices, integrating with most major companies, others lock you into a limited number of options or offer their own processing services for credit card payments, for better or worse.
Youâll also want to see what your system has in terms of an offline mode. Most point of sale systems have evolved to now offer at least some offline functionality, but what you can actually do in the case of an outage can vary. Many systems still function as normal, allowing you to process credit cards, encrypt transactions, and store the data to be run once the internet is restored.
Itâs difficult to make a decision, but at Merchant Maverick, weâve come across a number of point of sale systems that we would happily recommend depending on your business.
Shopkeep:Â Shopkeep is routinely on the top of our lists. This simple and reasonably priced system features everything you would expect in a point of sale system. Itâs well suited for small to mid-sized retail shops and restaurants with a sleek design, excellent reporting and management tools, and terrific customer service.
Revel:Â For slightly larger restaurants or retail establishments, we often recommend Revel, a product that can manage multiple locations and large amounts of inventory with ease. Revel is intuitive and extremely robust with a top-notch kiosk function and Kitchen Display System.
Lightspeed:Â Lightspeed is another highly rated company and offers both a Retail and Restaurant product. Lightspeed has great customer service and is easy to set up while also providing intuitive front end and back end features. It also has an excellent and simple to use eCommerce platform.
ERPLY:Â ERPLY is one of the top retail point of sale systems that we’ve reviewed. One of its biggest features is the ability to integrate with most major credit card processors. It also has terrific shipping integrations and excellent customer management tools, particularly when it comes to loyalty.
There is obviously a lot to process when it comes toâ¦ wellâ¦ credit card terminals andÂ payment processing. If youâve made it this far, hopefully youâre feeling a little more confident about your knowledge of credit card processing machines, virtual terminals, merchant services, point of sale systems, and what you should be looking for from the various companies that provide this technology. Make sure you have a good grasp on what each company charges for different transactions and what might be the best option for your type and size of business. Also donât overlook things like a companyâs customer service reputation. Itâs a competitive market and you have the ability to make sure you end up with a credit card terminal and processing system that can best help your business thrive.
Interested in learning more? Download our free Beginner’s Guide To Payment Processing.
The post Complete Guide To Credit Card Machines And Terminals appeared first on Merchant Maverick.
Rather of explaining each and every detail about PCI compliance, I’ve made the decision to provide you with a short rundown from the basics then, I’ll show you some sources that will get much more in-depth about them.
The most crucial factor to keep in mind coming from all this really is that PCI DSS compliance standards are continually altering. What’s needed today may be unnecessary tomorrow, and vice-versa. Furthermore, your compliance obligations will be different based on which kind of business you’re.
If you are a little eCommerce site that utilizes a repayment gateway like Authorize.Internet, your obligations will be much under if you are a sizable brick-and-mortar merchant that stores your customer’s charge card figures. The bottom line is to determine which needs have to do with your company type, then make sure that you follow individuals guidelines to get compliant.
With this stated, let’s cover the basics…
Table of Contents
The PCI Security Standards Council (PCI SSC)
You’ve most likely learned about this option already. They’re the one’s that set the guidelines and inform us how you can adhere to them. They’ve probably the most current details about PCI compliance, so visit their website to find out more. Remember, their coverage is altering regularly, so make sure to stay updated. Clearly, the most crucial page for you personally will probably be their “Merchants” page.
What’s PCI DSS?
PCI DSS means Payment Card Industry Data Security Standard. They are standards set through the PCI SSC that merchant’s are needed to follow along with, to be able to remain compliant.
How to start
Most likely it’s not necessary time to become PCI expert, therefore if I had been you, I’d watch this PCI rock video, look at this Quick Reference Guide, and stop hunting. The recording will expose you to the entire PCI DSS stuff, and also the guide provides you with enough info to consider on how to proceed next.
This PCI for Dummies ebook by Qualys can also be worth a read.
What’s Your Merchant Risk Level?
When I pointed out above, PCI needs vary according to what your risk level is really as a company. Click the link to discover what risk level your company is.
Following a 12-Step Program for PCI DSS Compliance
The key to the PCI DSS compliance program would be the 12-needs as outlined within the Quick Reference Guide. Understand these, and you will be on the right path to understanding PCI compliance.
Install and keep a firewall configuration to safeguard cardholder data.
Don’t use vendor-provided defaults for system passwords along with other security parameters.
Safeguard stored cardholder data.
Secure transmission of cardholder data across open, public systems.
Use and frequently update anti-virus software or programs.
Develop and keep secure systems and applications.
Restrict use of cardholder data by business have to know.
Assign a distinctive ID to every person with computer access.
Restrict physical use of cardholder data.
Track and monitor all use of network sources and cardholder data.
Regularly test home security systems and procedures.
Conserve a policy that addresses information to safeguard all personnel.
Self-Assessment Questionnaire (SAQ)
As you’ll learn within the Quick Reference Guide, the Self-Assessment Questionnaire (SAQ) is an easy and quick method for retailers (business proprietors) to find out what of the aforementioned needs they have to adhere to.
Everyone needs to accept SAQ, so you may too go now. Remember to see the instructions first.
While using Right Equipment for PCI Compliance
Ends up you need to be utilising the best kind of terminal/equipment if you are considering being compliant. Make use of this internet search engine to determine if your devices are certified. Otherwise, you most likely need to upgrade.
Generally, whenever you join a brand new credit card merchant account, your provider provides you with up-to-date and compliant equipment.
If you are a little merchant that does not store anyone’s charge card information, consider yourself lucky! Besides a few minor tasks, your obligations will be minimal. Read this link to find out more.
Very little more to state here. Browse the above, stick to the links, browse the documents I’ve referenced, and you will be all right. Don’t panic within the complexity from it all. It need not be too hard.
Tell me for those who have questions regarding PCI DSS compliance.
Have you ever observed a PCI compliance fee in your statement recently? Need to know what it’s for? Need to know if it is legit? Need to know how you can eliminate it? Then, keep reading…
Previously year, I’ve had a number of retailers ask me relating to this new PCI Compliance fee that’s been appearing on their own statements. It sometimes comes by means of a yearly fee ($99+/year), along with other occasions it’s really a fee every month ($19.95/month). In certain rare cases, you may be seeing both a yearly fee along with a fee every month.
For retailers that do not understand PCI compliance, the PCI compliance fee appears like yet another garbage fee tacked on by their processor to earn them much more profit. The reality, however, is somewhere in the centre.
There is a great two part series on GreenSheet.com which i recommend you read (here’s part 1, and part 2). GreenSheet.com is definitely an “insider” website for that charge card processing industry. It’s what your processor/provider, as well as their sales people read regularly. It is also an excellent way to find out about the business using their perspective. Should you browse the two part article, you’ll most likely understand much more about this PCI compliance fee then about 90% of the peers.
The title of this Eco-friendly Sheet article is “What will a merchant have for a PCI fee?” That real question is the best inquiry that retailers ought to be asking using their charge card processor.
Which kind of products or services are you currently barely making it having to pay this extra fee?
Since there’s a lot misinformation around PCI compliance, the sphere is ripe for illegitimate charges. You shouldn’t be among individuals business proprietors that will get billed without receiving anything of worth in exchange.
What are the potential products or services that the provider may be offering to acquire stated charges? Let’s review them below…
Non-compliance The non-compliance fee is fairly self-explanatory. Your processor bills you a regular monthly fee because of not being compliant using the PCI DSS standards. The charge usually varies from $5 to $19.95, with a few processors charging around $30 monthly. It offers no value, and just works as a blunt indication that the processor does not have any kind of proof that you’re compliant.
In the Eco-friendly Sheet article…
How about individuals charging a ‘noncompliance fee’? Does this means that the [merchant] customer isn’t PCI compliant, and rather to be [introduced] to compliance or shut lower they obtain a free pass as lengthy because they pay $xx.xx/month? “Sounds just like a cop supplying tickets to drunk motorists rather of taking them in.
This kind of PCI fee can and really should remove easily by becoming compliant. Ask your processor exactly what you ought to do in order to become compliant, then…become compliant. There isn’t any reason they must be charging a “non-compliance” fee for those who have taken all of the steps to obtain compliant. When they continue charging a non-compliance fee despite you’ve met their needs, then it’s time for you to switch to a different processor.
Data Breach Insurance Some processors offer “Data Breach” insurance for their retailers for any monthly/annual fee. This is valuable when the insurance was foolproof, but it isn’t..
Why is this subject so polarizing may be the magnitude of liability and also the uncertainty regarding who ultimately owns the liability. To wit, when an ISO or acquirer assesses a regular monthly PCI fee which includes insurance, who’s liable if, following a breach, the insurer declines the claim?
So, the bottom line is, you’re having to pay a regular monthly fee for insurance that might or might not cover you in case of an information breach? The straightforward proven fact that some insurance company can “decline the claim” ought to be sufficient cause that you should be hesitant of information breach insurance.
If you are being billed for data breach insurance, you need to ask your processor for the details or terms. If you are unhappy using the terms, or perhaps your processor doesn’t provide these to you, then start searching for any new processor
Compliance Support This is actually the most legitimate of all of the charges billed, and it is usually by means of a yearly fee. In case your processor is frequently contacting you, assisting you, educating you, and providing you checking services, they have every to ask you for a compliance fee, because they’re providing you something in exchange. However , very few processors endure their finish from the bargain, but still ask you for this annual fee. In addition to this is the fact that more often than not, your processor will overcharge you for services you could have for less, should you just required time to discover PCI compliance yourself.
In certain markets, the individual with increased information normally has top of the-hands. PCI compliance is really a market where education takes care of. Even if you need to spend an entire weekend researching these items, you will be far better off your less informed counterparts. You’ll most likely finish up having to pay less in PCI charges too.
Both VISA and MasterCard have produced a structure for figuring out the danger degree of a merchant. The greater transactions you process, the greater risk you pose towards the two charge card organizations. To be able to maintain some kind of order within PCI compliance, VISA and MasterCard have produced 4 risk levels which will affect any particular business.
Knowing which risk level you come under is essential due to the fact your credit card merchant account provider will need different documents/procedures for every level. Most retailers have no idea know very well what all these levels are, so before you submit the best documentation, you need to know very well what each level means, and which pertains to you.
Listed here are some PCI merchant levels and needs from VISA’s site. MasterCard’s levels/needs are nearly identical:
Retailers processing over six million Visa transactions yearly (all channels) or Global retailers recognized as Level 1 by Visa region.
Annual Set of Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or internal auditor if signed by officer of the organization.
Quarterly network scan by Approved Scan Vendor (“ASV”).
Attestation of Compliance Form.
Retailers processing a million to six million Visa transactions yearly (all channels).
Retailers processing 20,000 to at least one million Visa e-commerce transactions yearly.
Retailers processing under 20,000 Visa e-commerce transactions yearly and all sorts of other retailers processing as much as a million Visa transactions yearly.
Annual SAQ suggested.
Quarterly network scan by ASV if relevant.
Compliance validation needs set by acquirer.
As you can tell, the PCI compliance levels are pretty self-explanatory. I’ve highlighted Level 4 just because a large most of you’ll come under this risk level. So, next time your provider or processor informs you that you’re an amount 4 merchant, you’ll know precisely what they’re speaking about.
A sizable most of companies within the U.S. are thought medium and small sized companies (SMBs). Most SMBs don’t process anymore than 20,000-1,000,000 (some significantly less) transactions each year, categorizing them as Level 4 retailers within the PCI world.
For individuals individuals which have read my article on merchant risk levels, you’ll realize that Level 4 may be the cheapest tier, thus requiring minimal work load for compliance. It is also probably the most vulnerable tier for hackers….go figure.
Within this guide, I will take you step-by-step through what you ought to do in order to become compliant and also the basics of small merchant PCI compliance. I attempted to help keep it as little as possible, although not confident that I been successful. 🙂
For Retail (Card-Present) Retailers
Scan The Body Most charge card processors require proof that you’ve scanned the body for security threats, otherwise they’ll ask you for a regular monthly PCI non-compliance fee. So, make certain you comply with the other steps below, then get scanned when you are ready for this. I’ve partnered with Trust Guard, so I’m clearly likely to recommend that you will get the body scanned by them, but it’s your call. There are many others available that provide checking services. From what I have seen, Trust Guard is pretty legit though.
Go ahead and take Self-Assessment Questionnaire (SAQ) I discuss the SAQ within my other PCI article, but because a short overview, the self-assessment questionnaire provides you with a fundamental concept of what needs you have to follow in order to be PCI compliant. The SAQ will most likely reiterate exactly what I’m suggesting now, however that doesn’t mean that you could skip it. Similar to the system scan, most processors require that you simply go ahead and take questionnaire, otherwise they’ll assess a non-compliance fee.
Now, adopt these measures:
1. Only use PCI approved PIN transaction security devices (i.e. PIN pads). By “device” I am talking about PIN pads and charge card terminals. Visit here to find out if your present system is compliant. Otherwise, it’s time for you to upgrade.
2. Only use PCI validated POS (Point-of-Purchase) & payment gateway software. Visit here to find out if your present software programs are validated. Otherwise, it’s certainly time for you to upgrade. Here’s the right place to locate POS hardware/software, and every one of my best charge card processors offer payment gateways which are PCI compliant.
3. Don’t store any sensitive cardholder data. As a small company, it’s very easy to ignore that. I recall writing lower charge card information on a notepad later on reference, without realizing how large of the security risk that really was. So, whether in writing or perhaps your hard disk, don’t store any cardholder data. If you are worried that perhaps your charge card terminal or PIN pad is storing card data, just bear in mind that newer equipment either doesn’t keep data, or encrypts it. So, in case your devices are PCI compliant, you will want not worry.
4. Make use of a firewall in your network and Computers. This one’s pretty easy. Most os’s include some kind of security package with a firewall. Just make certain that you simply regularly determine if it is working, and also you update it if required. Should you not possess a firewall, Norton is fairly good.
5. Make certain your router is password-protected and uses file encryption. Another easy one. Your router’s instructions will take you step-by-step through the entire process of password protecting and encrypting the router.
6. Use strong passwords. Make sure to change default passwords, This can be a no-brainer. I personally use password generator to make me some fast and secure passwords. Never make use of the default password for just about any software or hardware.
7. Regularly check PIN entry devices and Computers to make certain nobody has installed rogue software or “skimming” devices. This is when the machine network scan is useful. Your average person doesn’t really understand how to look for this sort of stuff, so using a company like Trust Guard, you can easily depend on their own expertise.
8. Educate the employees about security and protecting cardholder data. Don’t get lazy about this one. I’ve got a couple of articles within my PCI Compliance category, so that you can refer the employees for them. You might also need lots of sources when you need it so remember to apply your favorite internet search engine.
For eCommerce (Card-Not-Present) Retailers
Follow each step within the list above (expect for #1. You clearly won’t possess a PIN pad or charge card terminal if you are strictly eCommerce.), and also the following:
Have an SSL Certificate An SSL certificate helps to ensure that any sensitive data transmitted through your site is encrypted in order to safeguard that data. An apparent place that you’d make use of an SSL could be on the payment page during checkout. There’s a lot of SSL vendors available, but when you’re getting the body scan at Trust Guard, you very well may too get your SSL with them also. 😉
One factor that I’d like to indicate is the fact that a there’s a couple of payment gateways available that may alleviate your PCI needs almost completely. The actual way it works is they possess a feature that enables you to definitely conduct the whole transaction around the providers own servers, not yours. This way, your personal network isn’t even active in the transaction, thus absolving you against the necessity to conserve a secure network. Check out the CDGcommerce instant PCI page to determine what i’m saying. They perform a better job of explaining it than me.
You may also go to the Small Retailers page around the PCI Security Standards Council website for more information on PCI compliance for small company.
Be careful, retailers: Dubbed “PoSeidon” by ‘cisco’ Security Solutions, this adware and spyware is really a new kind of trojan viruses that particularly targets POS (reason for purchase) systems, nabbing the charge card information of the unsuspecting customers.
‘cisco’ mentioned inside a March 2015 are convinced that POS adware and spyware attacks are rising, affecting companies both small and big. One particualr recent high-profile PoS charge card data breach may be the BlackPOS adware and spyware strain, which uncovered greater than 40 freaking million Target customers’ debit and charge card information in 2013.
Concerned? You ought to be, while you could ultimately take place responsible for the thievery of the customers’ data when your POS system become infected. Continue reading to learn to safeguard your company in the PoSeidon virus, and the way to minimize your chance of POS system data breach generally.
The PoSeidon Point-of-Purchase Virus
During card-present payment processing, sensitive charge card information will come in plain text within the memory from the POS system. Like the majority of point-of-purchase trojans, PoSeidon utilizes a technique referred to as “memory scraping,” checking the RAM of infected POS terminals to locate these unencrypted strings that match charge card information.
Once this post is retrieved, it’s offered to dubious cybercriminals who might, say, encode it right into a magnetic stripe and employ it with a brand new card.
Senior technical leader for Cisco’s Talos Security Intelligence and Research Group Craig Johnson told SCMagazine.com that PoSeidon sticks out using their company similar POS adware and spyware in that it’s self-updatable.
Furthermore, states Johnson, “It has interesting evasions using the mixture of XOR, Base64, etc., and contains direct communication using the exfiltration servers, instead of common PoS adware and spyware, which logs and stores for future exfiltration from another system.”
OK, so do you not worry — you do not really should understand exactly what guy just stated. The takeaway here’s that PoSeidon is much more sophisticated than previous POS adware and spyware programs. Though PoSeidon isn’t the be-all, finish-all POS adware and spyware, this lucrative kind of crime isn’t disappearing, either. After PoSeidon, the following, smarter incarnation of POS bug will certainly seem to take its place.
PCI Security Standards
Fortunately, there’s something that you can do to safeguard your POS system from data breaches, and one of these simple involves something known as PCI compliance. Being PCI-compliant doesn’t cause you to impervious to attacks like PoSeidon, however it helps.
PCI DSS means Payment Card Industry Data Security Standard. They are standards set through the PCI Security Standards Council, and retailers are needed to follow along with them to be able to remain compliant.
You’ll have to find information about exactly what you ought to do in order to remain PCI complaint based on your particular kind of business (for instance, it’s much simpler to become PCI-complaint like a small e-commerce site versus. like a brick-and-mortar store), but basically, the factors need you to do all you are able to safeguard the cardholder data you process. One factor every merchant can perform is use PCI-complaint terminal equipment.
Take a look at our blog publish on PCI compliance to obtain the online sources you have to make certain your company is complaint with PCI standards.
How Cloud-Based POS Software Might Help
Another essential action retailers may take to secure their customers’ data against security breaches — most likely the most significant factor — can be used cloud-based POS software.
With cloud-based POS software, the credit card data and customer information is taken off both hands entirely — this sensitive information is stored encrypted within the cloud, instead of your POS system. This will make an information breach a lot more difficult, and virtually impossible utilizing a PoSeidon-type virus.
Cloud-based POS software also enables the machine to remain up-to-date easier, which further helps safeguard you against new adware and spyware along with other issues. And contains a lot of other benefits, for example allowing the company owner to log to the cloud POS system remotely.
For any good overview around the cope with cloud-based POS software, take a look at our very readable article about them.
How Can Nick Cards Impact Data Security?
EMV nickor “chip card” technology adds another layer of information security. Also known as “smart cards,” they are credit/an atm card keep cardholder’s data on the micro-processor nick as opposed to a magnetic strip.
Very few US retailers accept nick cards at the moment, however this will probably change, like a new law regarding nick card fraud liability adopts effect in October 2015 (more about that here).
What exactly do nick cards relate to data security? Welp, they’ve dynamic (altering) card information rather of merely one string of figures, making replicating them a lot more difficult. When they won’t prevent data thievery, they’ll allow it to be so the stolen data itself cannot easily be employed to make counterfeit cards and fraudulent transactions.
So, you do not always have to improve your terminals to update nick cards right this second, but EMV nick transactions are inherently safer than non nick-outfitted debit or credit cards (a minimum of, with regards to card-present transactions). Because the technology gets to be more popular, it will likely be to your advantage like a merchant to simply accept nick card payments and therefore lower your fraud liability risk.
The PoSeidon virus demonstrates the significance of data to safeguard all companies, on the internet and off. Because the technology utilized by data thieves is constantly on the advance, also must merchants’ POS systems. Brick-and-mortar companies frequently think that they’re not in danger of data breaches, but Target, Lowe’s, Kmart, along with other large and small retailers have discovered hard way precisely how vulnerable they’re.
With regards to protecting your company from data breaches, getting an up-to-date POS product is important. Utilizing a cloud-based system, maintaining PCI compliance, and getting ready to accept nick cards when it’s time will help mitigate this risk.
To help you get headed within the right direction, check out the most popular cloud-based POS systems.
Shannon is really a freelance author and editor located in North Park, CA. Shannon type of wants an apple iphone 7, but she’s not necessarily prepared to lose the headphone jack.