Everything You Need To Know About eCommerce Payments

The post Everything You Need To Know About eCommerce Payments appeared first on Merchant Maverick.

“”

The Complete Guide To Finding An Internet Merchant Account

The post The Complete Guide To Finding An Internet Merchant Account appeared first on Merchant Maverick.

“”

What Is Cardholder Data And Why Does It Matter?

The post What Is Cardholder Data And Why Does It Matter? appeared first on Merchant Maverick.

“”

What Is A Card-Not-Present Transaction?

It’s safe to say that nothing is ever free in payment processing (and if it claims to be, you should be very suspicious). But trying to understand why some types of transactions cost more than others to process can be a confusing and sometimes overwhelming process. For example, why does Square charge 3.5% + $0.15 for keyed transactions and just 2.75% for swiped, dipped, and tapped transactions, even though they both go through the Point of Sale app? Why do invoices and online orders cost more than payments processed with a POS app and credit card reader? The answer is that it matters whether a transaction is deemed “card-present” or “card-not-present” (CNP)  — in fact, it is a critical factor in payment processing costs.

A card-not-present sale is any transaction where the cardholder does not present their card to the merchant. While that general definition may seem pretty cut and dry, the reality is a bit muddier. Here’s what I mean: Even if your customer takes out their physical credit card, the transaction is not considered a “card-present sale” unless they actually swipe, dip, or tap it. Manually entering a card number throws the transaction into card-not-present territory.

And when a customer taps a credit card terminal with their phone at a coffee shop? That transaction is actually considered a card-present sale even though the merchant technically never sees a physical credit card!

Confused? Don’t worry. Keep reading; below, we’ll break down some more examples of card-not-present transactions and help you understand why they cost more to process. We’ll also talk about what — if anything — you need to change in your payment processing setup to protect your business.

The reality is, whether you have a brick-and-mortar store or you run an eCommerce business, you need to understand how CNP transactions affect your business, your customers, and your bottom line. There’s much more than meets the eye when it comes to distinguishing from a card-not-present and a card-present transaction, including how much it costs you and the security risks involved. Let’s dive in!

Card-Present VS Card-Not-Present Transactions

Let’s start by talking about what a card-not-present sale actually entails. Once we do that, these transactions will be a little easier for you to identify (and help your sales team navigate the whole issue as well.) A card-not-present sale is any sale processed that does not capture the electronic data of the card at the time of the sale.  

It’s not always super cut and dry. Sometimes merchants don’t understand that being handed a credit card doesn’t automatically qualify the transaction as a card-present sale. It all depends on how it is processed. For instance, say you are at a festival and decide to buy one-of-a-kind art from a vendor. You hand her your card, and she breaks out a little manual machine and makes a carbon copy. Even though you physically handed the vendor your card, this still counts as a card-not-present transaction. No electronic data was captured.

Another example involves Visa and Apple Pay. You can consider any in-store purchase made with Apple Pay a card-present sale, but any payments made using Apple Pay in-app are considered card-not-present. That’s because when a customer uses a digital wallet by tapping or scanning a QR in the store, the electronic data of the card is captured in real time. In-app purchases do not capture the electronic data at the time of the sale.

For the most part, the main thing to understand is that transaction categorization ultimately boils down to whether electronic data was captured.

Common Card-Not-Present Transactions:

  • Invoicing a client
  • eCommerce / online shopping
  • Phone orders
  • Recurring payments that are automatically billed (subscriptions)

Common Card-Present Transactions:

  • Countertop credit card terminals
  • Tapping or scanning digital wallets
  • Swiping via a card reader on a tablet or smartphone (e.g., Square)

If your revenue depends on processing payments with anything other than a POS app and credit card terminal or mobile card reader, it is worth your time to understand how to keep your transactions safe. Processing credit cards costs money whether you process in person or online, but you will face slightly higher fees for processing card-not-present transactions. 

Understanding The Cost Of Card-Not-Present Transactions

 

Why are you charged more for card-not-present transactions? It’s pretty simple, actually. Card-not-present transactions cost more because there are simply more ways for them to fail. From chargebacks, friendly fraud, and malicious fraud, there is more vulnerability and subsequent cost when things go wrong.  Granted, all credit card processing poses some risk — that’s why businesses have contracts with processors, and why high-risk merchant accounts exist. It comes down to which methods of payment processing (and sometimes even which businesses) present the most risk. 

With a merchant account that offers interchange-plus pricing, you will pay a higher interchange rate for card-not-present transactions because the card networks want a return in exchange for accepting some of the risk. Even third-party processors, which don’t overtly pass interchange costs directly to you, still build the costs in by adding a markup to their base rate.

It’s also important to understand that not all card-not-present transactions pose the same risks. For instance, you are generally going to pay a higher cost for a keyed-in entry than for an online transaction because there are typically some built-in security measures (like address and CVV verification) for online purchases, whereas there are no security measures for keyed transactions.

Want to know more about how credit card processing works? Check out The Complete Guide to Credit Card Processing Rates & Fees for an in-depth look. 

Below we talk more about card-not-present fraud and what you can do to protect your business. 

The Cost Of Fraud

Unfortunately, when it comes to CNP sales, the industry is currently seeing an increased rate of fraud for online transactions. The rollout of chip cards and the EMV liability shift in the US for card-present sales actually plays a major role in the increase of card-not-present fraud, and it’s something that financial experts predicted would happen based on EMV adoption in other parts of the world.

While we certainly don’t want to strike fear or dread into any of our readers, the fact is that card-not-present transactions make you more vulnerable to fraud because the physical card data can’t be verified. Not only can a card data breach turn into an embarrassing public relations issue, but the business owner is ultimately responsible for absorbing the cost of any fraudulent charges in a card-not-present sale.

A recent press release from LexisNexis demonstrates that the cost of fraud is rising. Last year, every dollar ($1) of fraud cost a merchant $2.77. This year, it’s predicted to cost $2.94 on average. And if you are in the digital space, the cost is even a bit higher.

Small businesses need to stay on guard just as much as any medium or large business. The unfortunate fact is that fraudsters are looking for vulnerabilities like outdated data security practices, and small businesses are very likely to be targeted.

There are some very sobering statistics from UPS Capital:

  • Nearly 90% of small and medium-sized businesses in the U.S. don’t use data protection for company and customer information.
  • Less than half have secure company email processes to prevent phishing scams.
  • 60% of smaller businesses are out of business within six months of suffering a cyber attack.

It is vitally important to be aware of the risks and know how to protect yourself.

Read on to learn more about fraud and what you can do to protect your business if you accept card-not-present transactions.

Protecting Your Business From Fraud

Merchant’s Guide to Preventing Card-Present Fraud image

Taking a proactive approach to preventing fraud is a smart move. In this post, we focus on understanding the risks and cost of card-not-present transactions, but card-present sales are certainly not exempt from fraud. If your business processes both types, check out the Merchant’s Guide to Preventing Card-Present Fraud for a great breakdown of information on how to protect your business from card-present security issues.

Your first defense against fraud will always be PCI compliance. PCI DSS is an acronym for Payment Card Industry Data Security Standard, which dictates the industry-standard procedures and security measures a business needs to make to protect customer data.

The good news is that unless you are dealing with homegrown software for your payment processing system, you are likely operating with PCI compliant equipment and software. That’s because all payment processing software and equipment vendors go through a strict certification process to ensure their products meet industry standards for security. 

That being said, you still need to take the time to read your contract and understand if there are any steps you need to take to ensure continued compliance. Third-party payment processors such as Square are automatically PCI compliant and do not require you to do anything specific to maintain compliance — at least not as far as the contract is concerned. (As a general rule, you should keep yourself informed on PCI compliance and what constitutes a suspicious transaction that could get your account flagged for fraud.) 

With merchant accounts, PCI compliance is a lot more varied and partially depends on whether you use the provided software or integrate with a third-party. You may be obligated to complete a scan or assessments, or potentially much more depending on your payment processing setup.

The key takeaway is this: PCI compliance is never a one-time event. Assessment, remediation, and reporting is a continual process with best-practices changing each year. Even if your processor doesn’t require you to do anything to maintain compliance, it’s important to make sure you know what security best practices are.

According to the PCI DSS Quick Reference Guide, some habits can put you and your customers at risk for fraud. Within the guide, the PCI cites activities that are common across the board in all types of U.S. and European businesses (page 4):

  • 81% store payment card numbers
  • 73% store payment card expiration dates
  • 71% store payment verification codes
  • 57% store customer data from the payment card magnetic strip
  • 16% store other personal data

Let’s break down that first statistic. The majority of business owners store their customers’ credit card numbers. But where? Unless you’re using PCI compliant software with a secure credit card vault, you could be exposing yourself to risk and liability — big time. 

Following best practices and keeping yourself up-to-date with PCI compliance is one of the most important things you can do to prevent fraud. Another thing to remember is that it is up to you to ensure your team knows what not to do, too. A retail employee who keys in the majority of her transactions may be helping others commit fraud — or she may simply have trouble getting the credit card terminal’s card readers to work. But you won’t know until you check up on her. 

Once your bases are covered with PCI compliance, you can rest easy knowing that your legal and liability concerns have at least been reasonably mitigated.

Additional layers of security may be worth looking into as well, especially if your livelihood involves online sales

  • Address Verification System (AVS): This system checks to see if your customer’s address is the same as the person who owns the credit card. Verifying the billing address or zip code against Visa or MasterCard billing information of the cardholder can prevent misuse and protect your business from fraud.
  • CVV Checks: A CVV check requires your customers to enter in the additional three numbers at the back of the card (four digits for American Express). Since this information can be stored (and also stolen), it also makes sense to require customers to re-enter the card code whenever there is an unrecognized device or change to a shipping address.
  • 3-D Secure: This provides an extra layer of security for online transactions. If you have heard of MasterCard SecureCode, Verified by Visa, or American Express Safekey, then you are familiar with 3-D Secure. MasterCard SecureCode, for instance, requires a PIN code to be entered into an inline window that is securely hosted by the issuing bank. The code is never shared with you directly. This authentication step is designed to reduce your liability and improve security. Many processors that cater specifically to online businesses, such as Stripe, offer 3D Secure bundled with their services.

Final Thoughts

Fully grasping the nuances of credit card processing can be difficult. However, it’s definitely worth taking a bit of time to understand how and why card-not-present transactions are different from card-present payment processing.

Even merchants who run brick-and-mortar shops have to deal with the cost of CNP payments. If you have a storefront shop, taking the time to train your team to spot the difference between the two types of transactions and keeping up with the latest compliant software/EMV readers will go a long way towards keeping your costs down —and your payment security tighter.

If you run an online business, your focus should be on making sure you have the appropriate security measures enabled with a good payment processor — preferably one that does the bulk of the work for you! At the end of the day, you will take the hit from chargebacks and fraud if you don’t have the right protections. 

Shopping around for eCommerce businesses solutions? Read How To Choose An eCommerce Merchant Account.

The post What Is A Card-Not-Present Transaction? appeared first on Merchant Maverick.

“”

Complete Guide To Credit Card Machines And Terminals

We don’t typically think about what happens in the moments after we swipe our debit and/or credit cards. More often than not, we simply run or insert our card into the credit card machine and hope that the cashier doesn’t use the next few moments to initiate small talk. The number in our checking account decreases or the number on our credit card bill increases, and that’s all we care about.

But, to the business owner, credit card processing is exceptionally important and it can play a huge role in your bottom line. There’s a lot of information to take in if you’re a novice when it comes to credit card processing, and you’ll need to decide what elements are most important to your business. Do you need mobility when accepting payments? Will you be accepting transactions online or over the phone? What security measures should you be taking to protect both your business and your customers? What companies are highly rated or come heavily recommended?

We’ll try and answer the bulk of your questions about credit card machines and terminals below.

Credit Card Machines

Credit card technology has evolved rapidly over the years. It doesn’t seem like that long ago when the process involved a terminal with just the option for credit. Then came debit cards. As the internet became the world’s go to for conducting business, the processing game had to change as well. Now, merchants can take payments with readers connected to their phones or tablets — they can even accept payments remotely without the physical card present. This has created a need for increased security which has led to encryption technology and the relatively recent advent of the EMV chip card.

Before we get into that, however, let’s start with some basics about credit card transactions. You have, no doubt, used hundreds of different types of card readers throughout your illustrious tenure as a consumer. But what happens once your card’s magnetic strip has been read? In simple terms, there are three phases involved in actual processing:

  • Authorization: Once your card is scanned, its information is sent over with a request to be processed. The processing request is then sent to the company of the cardholder (VISA, Mastercard etc…). The company sends the request on to the issuing bank. If there are enough funds in the account, and if the card is registered as valid, the purchase is approved. All of this takes place in a matter of seconds, generally speaking.
  • Settling: After a transaction has been approved, it is forwarded on to be cleared via an interchange. When the request is received, a credit is given to the merchant for the amount of the sale. The bank will then issue a statement to the customer in that amount which the customer must then pay off.
  • Funding: So far in the transaction, no actual money has changed hands. After the card has been authorized and the credit is issued, the payment company then makes a deposit into the merchant’s checking account. These funds can generally be accessed in just a few days.

In order to accept these forms of payment, you will need some type of card reader. Your options here have also evolved rapidly in the past couple of decades. The most common type of credit card machine is still the stationary card terminal. This is a machine that needs a physical connection either to a phone line or to the internet in order to process physical cards.

The next type of machine, and one that is rapidly gaining in popularity, is the wireless processor. These often look very similar to a stationary device, using a magnetic strip or chip reader to take a customer’s card information. However, these devices only require a wireless connection, making them far more versatile and mobile for merchants (albeit with slightly higher security concerns).

Finally, you can also accept payments via a virtual terminal, something we’ll get into more thoroughly a little bit later. In short, virtual terminals allow you to take a customer’s card information without that card being physically present.

Of course, within these different machines, you’ll have some other hardware choices to make. One item you may want to look into is a PIN pad. With this device, customers can manually type in their debit card password to process a payment. Debit cards with either a VISA or Mastercard logo can be processed almost identically to credit cards. However, with a PIN pad, a transaction that is specifically run as debit usually costs the merchant a smaller fee. This ends up saving you a lot of money in the long run, particularly on large transactions.

Some point of sale systems have this technology built-in, allowing customers to enter their PIN numbers on a touchscreen. PIN pads encrypt a customer’s information, giving an inherent level of security on those transactions. As previously mentioned, you don’t need a PIN pad to run these types of transactions. A signature debit card is processed just like a credit card, but the money comes directly from a customer’s checking account. However, in most instances, the merchant is still charged the same rate as if the transaction was run as credit.

One of the more recent changes in the world of credit card processing has been the introduction of the chip card. EMV (which stands for Europay, Mastercard, VISA) is a method of payment based on a standard for cards and machines that is meant to dramatically reduce the possibility for fraud when it comes to credit card payments. EMV cards store data in a chip within the card that is scanned when it is “dipped” or inserted into a card reader or payment machine. Companies have been steadily trying to meet EMV standards and the majority of processors and point of sale companies are now EMV compliant or claim to be in the process of becoming compliant in the near future. VISA and Mastercard have also issued standards for card-not-present transactions as a way to increase security measures in the world of eCommerce.

It’s difficult to predict what the future will look like when it comes to payment processing, but one trend that seems like a near sure bet is that consumers will continue to seek out convenience. This means that services like Apple and Android Pay will probably continue to spike in popularity. Given society’s increased dependence on iPhones for everything from communication to driving directions, the ability to pay with one’s phone is something all companies will want to make sure they can handle — sooner rather than later.

Looking for a credit card machine for your business? Buy, don’t lease! 

Virtual Terminals

What is a virtual terminal? Let’s delve in deeper to get a sense of whether or not it’s a solution your business needs. Virtual terminals are online applications that allow customers to input credit card information directly online to then be processed electronically. These terminals allow for transactions to be processed even when a credit card is not physically present. This can be an ideal solution for any business that is highly mobile or conducting transactions remotely with clients.

Many companies, including PayPal and Helcim, offer the ability to use a virtual terminal for payments. The implementation process is exceedingly simple. Generally, for a small, monthly fee, your processor can give you the ability to enter payment information from pretty much anywhere with an internet connection. Most companies will offer a percentage rate and a flat fee for virtual terminal transactions. This fee is often slightly higher than it would be for a typical transaction as card-not-present transactions have a slightly higher risk of fraud.

With PayPal, for example, all you need is a phone, tablet or computer and you can quickly log in to your account and go to the virtual terminal setting. This leads you to a screen similar to one you would see if you were entering your own information online for a purchase. Once the information is entered, you’ll receive confirmation. 

This simplicity and flexibility has made the virtual terminal an increasingly popular way for businesses of all types — not just mail order or eCommerce businesses — to accept payments. An increasing number of companies are now also offering USB card readers that connect directly to your terminal. These automatically take the card information and run it through your virtual terminal, keeping your transactions in the same location but charging you a lower rate since the card is present at the time. Some of these same companies offer pads which can collect customer signatures in the same way. Even with an external card reader, virtual terminals are usually not designed to accept advanced payment types, like contactless payments, from mobile wallets such as ApplePay. If you want to accept contactless payments, you’re better off getting a standard NFC-enabled credit card machine or credit card reader.

Virtual terminals can also take automated clearinghouse (ACH) payments for one-time or recurring transactions. These payments are processed in bunches, meaning the payment is usually received a little later. However, you aren’t subject to interchange fees for these payments.

Obviously, when making or accepting payments where credit card information is simply entered online, security is going to be of the utmost importance. It is highly recommended that you choose a payment provider that encrypts credit card data; this both reduces the risk of theft and the scope of the Payment Card Industry (PCI) compliance.

From there, you will generally have two options.

You can choose a non-validated solution which can cut down the risk of having data stolen. This is an affordable option that is offered by most processing companies, though these solutions are not defined as secure by the PCI. In other words, there is an increased chance that hackers could gain access to encryption keys which could eventually lead to a data breach.

The other option is a PCI point-to-point (P2PE) provider which meets all of the PCI standards and includes secure hardware. Processors that provide this level of protection must accept Merchant P2PE Implementation Responsibilities. Because of this added security, a much smaller number of processors offer this service (although that list is growing). If you are set on providing increased security, you will need to make sure you have hardware that meets these standards — you will also have to submit to regular security check-ups.

Merchant Services

When we talk about merchant services, what exactly do we mean? In simple terms, ‘merchant services’ is a broad term to describe the hardware and software products that make it possible to accept credit and debit card transactions. These companies and services help to connect the issuing bank (the bank that gave your customers their credit cards) and the merchant bank (the bank that is behind your merchant account). In the last couple of decades, this term has expanded to include much more than just your standard terminal scanner. The internet has opened the door for payments to be made online and those purchases can be tracked and managed from your computer or mobile device.

Merchant services providers are any businesses which accept payments (aside from just cash and checks). These can include credit and debit card processors, point of sale terminals, analytic software etc. There are a handful of different kinds of merchant services providers, including:

  • Merchant Account Providers: These providers can set you up with a merchant account and services that allow you to collect your money following a debit or credit card transaction. Some larger companies also come with direct processing services.
  • Payment Service Providers: Even though it’s advisable, it’s not essential to have a merchant account to process payments. Payment service providers, like the ubiquitous PayPal, don’t give you an ID number and are popular because they generally do not come with account fees or long-term contracts. These accounts can be frozen, sometimes without notice, and customer service can be sketchy. However, for smaller or seasonal businesses, payment service providers are a popular choice.
  • Payment Gateway Providers: Payment gateway providers represent a service provider that has emerged with increased popularity of eCommerce. These providers may or may not come with a merchant account. Some give you a choice of using their own merchant account or using a gateway with an existing account. Others only offer a gateway service, meaning you’ll have to have a merchant account from a third party.

When you’re looking at various card processors, there are a few things that you should keep an eye on. Perhaps most importantly you’ll want to research the company’s reputation. Processing payments is a crucial aspect of your business and an unreliable company can give you a lot of headaches (and affect your bottom line).

You’ll also want to compare the costs and potential fees that various processors implement. Square, for example, charges no monthly fee, which is yet another appeal for smaller or mid-sized companies. However, they also implement a 2.75% fee on transactions — if your business takes off and you’re suddenly processing a high number of transactions, those fees will add up and quickly wipe out any savings you’re receiving from not paying a monthly fee.

You’ll also want to doublecheck the compatibility of your processor. If, for instance, you’ve found a point of sale system that you are comfortable with, you’ll want to make sure that the processor integrates seamlessly without additional costs. If you’re forced to set up an aforementioned gateway, you could end up paying a large monthly fee.

To enable transactions, merchants will have to fill out an application. If you’re opening a merchant account, this process can take a little longer than going through a third-party processor. One of the reasons smaller and mid-sized merchants lean towards a third-processing account like Square is that you can be up and ready to take payments almost immediately. The price for that instant gratification, however, is an increased likelihood for potential account freezes later on.

When you’re in the process of picking out a processor, you’ll also want to pay close attention to transaction fees. The best merchant account providers usually offer what is referred to as interchange-plus pricing. This means that the provider takes the wholesale cost of the transaction and tacks on a small, standardized markup. This ensures an affordable and transparent pricing plan. It also means a slightly higher rate for transactions when a card isn’t physically present since those transactions have a higher frequency of fraud. Third-party processors sometimes provide a flat rate for all transactions — this is convenient and offers a simple way to quickly figure out your fees. However, it may not be the most cost-efficient in the grand scheme of things. A company like Square, which offers a flat rate for swiped and dipped transactions, also charges a slightly higher rate for key-in and eCommerce transactions.

There are a few other things you’ll want to watch out for when finalizing your decision about a merchant accounts provider. Along with the potential for account freezes or funding holds, keep an eye on how businesses handle chargebacks (where customers dispute a charge) and fraudulent charges in general. There are ways to mitigate these dangers, of course. You can use fraud management tools, including things like address verification services. Using a chip card terminal also dramatically cuts back on fraudulent charges.

Here are a few of our most highly recommended processing companies:

  • Fattmerchant: Fattmerchant is one of the best companies for eCommerce transactions. Its pricing is transparent without undisclosed fees. There is also a 0% markup, meaning you pay only the wholesale cost plus the monthly fee and a small authorization fee. Fattmerchant also has terrific customer service.
  • Dharma: Dharma provides a full array of processing services and also has a simple, affordable pricing structure without hidden fees. They exclusively use the interchange-plus format and are a particularly good choice for non-profits, as they offer a discount to those companies.
  • Helcim: For slightly large companies, Helcim is a very strong option. While offering a wide range of services, they have extremely competitive rates for companies that process more than $2500 a month. They also have very strong customer service and their fee structure is transparent and easy to understand.
  • Square: For companies that don’t provide a full-service merchant account, Square is the standard bearer. There is no monthly account fee and they offer free or low-cost readers. Square also doesn’t force you to sign up for a long-term contract or charge you for early termination.

Your POS System

Another way to process payments is through your POS or point of sale system. Point of sale systems have come a long way, especially in the past decade. Today, you can virtually run your entire business from one, simple device. With the influx of cloud-based systems, you can make snap decisions and check the status of your operation from anywhere with a wireless connection.

With so many options available, and with point of sale systems offering more and more features all the time, choosing the correct system to meet your needs is an important decision. The first thing you’ll need to decide is whether you want a system that is cloud-based or locally installed. Most companies have been moving toward cloud-based options for numerous reasons. First and foremost, it’s incredibly convenient. All of your data is automatically stored off-premise, so if something happens to your store or to your system, all of your payment, customer, and inventory information is still accessible. These systems are often extremely user-friendly as well, designed to be intuitive with very little training time needed. They tend to be sleek, modern, and visually appealing both to your customers and employees.

Many cloud-based systems also perform routine updates automatically, fixing bugs and adding new features so that you always have the most current software at your fingertips. Along these same lines, the best POS systems sync seamlessly to any number of integrations that can help your business in ways you may not have even considered before.

When you’re looking at purchasing a POS system, there are a number of factors to keep in mind. First and foremost, it’s likely that the cost of the POS hardware and software is going to play a large role. Some systems allow you to purchase your system and all necessary hardware upfront for a flat rate, allowing you to own the software. But if dropping a few thousand dollars isn’t something you’re comfortable with, the majority of point of sale companies offer monthly rates. A few companies, such as Square, offer a free version of their software that is generally suited for small operations, though most other POS software systems run anywhere from $39 to $99 a month for basic services while often offering advanced packages with additional features.

Let’s talk about some features you can expect to find in pretty much any good, modern point of sale system:

  • Inventory Management: Not only can you view all of your stock on hand, you can set your POS to alert you when certain products are running low or, even more conveniently, you can set the system to automatically reorder products when they hit a certain level. This can be an enormous time saver and, in most systems, inventory management can be accessed remotely. You can set up quick transfers across multiple locations and, in many cases, create and print your own purchase orders.
  • Employee Management: Likewise, your staff is easy to track and manage from your centralized POS station. You can set permissions and create alerts for suspicious transactions to cut down on fraud. Employees can be given unique codes when they log into the system and can view their hours and current schedules.
  • Customer Management: Many point of sale systems come with their own built-in loyalty programs or integrate with other companies for a small monthly fee. But these days, your POS can help with so much more when it comes to analytics and marketing. Most systems allow for customer data to be stored and easily searched. Customers can look up their own loyalty points and control their own profiles in some cases. More useful for business owners, however, is the ability for the system to analyze what items are being purchased by certain customers, assessing buying habits and creating personalized marketing campaigns that can be implemented with ease, helping to maximize profits. The same can be done with coupons, targeting customers to boost repeat business.

You will also want to do your research to see what systems specifically cater to your particular business. For example, if you’re opening a pizza shop, you may want to look for a system with built-in features that makes online ordering simple, or functions that allows customers to create a custom order which is then automatically sent to the kitchen, freeing up your employees. There are also niche POS systems for specific types of businesses. Quetzal, one of our highest-rated systems here at Merchant Maverick, is built for the retail industry with a significant bent towards shoe stores.

Many POS software systems have their own app store, like Clover, or integrate with scores of apps that might help your business out tremendously. If you’re technically savvy, most POS providers also give you access to an open API, meaning that you or a developer can create your own apps within the software.

When you’re doing your research there are a number of other features you’ll want to keep an eye on. Definitely check to see what features come in the form of add-ons which will increase your monthly fee. You will also want to make sure you have appropriate, compatible POS hardware. Several companies offer hardware packages that can be purchased directly through their websites.

A robust reporting feature should be available in most highly-rated systems and many offer their own eCommerce platforms, making it easy to set up your own website and sell online, all from your POS device.

Another key factor to research is what credit card processors are compatible with your system. While some offer a wide range of choices, integrating with most major companies, others lock you into a limited number of options or offer their own processing services for credit card payments, for better or worse.

You’ll also want to see what your system has in terms of an offline mode. Most point of sale systems have evolved to now offer at least some offline functionality, but what you can actually do in the case of an outage can vary. Many systems still function as normal, allowing you to process credit cards, encrypt transactions, and store the data to be run once the internet is restored.

It’s difficult to make a decision, but at Merchant Maverick, we’ve come across a number of point of sale systems that we would happily recommend depending on your business.

  • Shopkeep: Shopkeep is routinely on the top of our lists. This simple and reasonably priced system features everything you would expect in a point of sale system. It’s well suited for small to mid-sized retail shops and restaurants with a sleek design, excellent reporting and management tools, and terrific customer service.
  • Revel: For slightly larger restaurants or retail establishments, we often recommend Revel, a product that can manage multiple locations and large amounts of inventory with ease. Revel is intuitive and extremely robust with a top-notch kiosk function and Kitchen Display System.
  • Lightspeed: Lightspeed is another highly rated company and offers both a Retail and Restaurant product. Lightspeed has great customer service and is easy to set up while also providing intuitive front end and back end features. It also has an excellent and simple to use eCommerce platform.
  • ERPLY: ERPLY is one of the top retail point of sale systems that we’ve reviewed. One of its biggest features is the ability to integrate with most major credit card processors. It also has terrific shipping integrations and excellent customer management tools, particularly when it comes to loyalty.

Final Thoughts

There is obviously a lot to process when it comes to… well… credit card terminals and payment processing. If you’ve made it this far, hopefully you’re feeling a little more confident about your knowledge of credit card processing machines, virtual terminals, merchant services, point of sale systems, and what you should be looking for from the various companies that provide this technology. Make sure you have a good grasp on what each company charges for different transactions and what might be the best option for your type and size of business. Also don’t overlook things like a company’s customer service reputation. It’s a competitive market and you have the ability to make sure you end up with a credit card terminal and processing system that can best help your business thrive.

Interested in learning more? Download our free Beginner’s Guide To Payment Processing.

The post Complete Guide To Credit Card Machines And Terminals appeared first on Merchant Maverick.

“”

All you need to Learn About PCI DSS Compliance

PCI DSS complianceRather of explaining each and every detail about PCI compliance, I’ve made the decision to provide you with a short rundown from the basics then, I’ll show you some sources that will get much more in-depth about them.

The most crucial factor to keep in mind coming from all this really is that PCI DSS compliance standards are continually altering. What’s needed today may be unnecessary tomorrow, and vice-versa. Furthermore, your compliance obligations will be different based on which kind of business you’re.

If you are a little eCommerce site that utilizes a repayment gateway like Authorize.Internet, your obligations will be much under if you are a sizable brick-and-mortar merchant that stores your customer’s charge card figures. The bottom line is to determine which needs have to do with your company type, then make sure that you follow individuals guidelines to get compliant.

With this stated, let’s cover the basics…

Table of Contents

The PCI Security Standards Council (PCI SSC)

You’ve most likely learned about this option already. They’re the one’s that set the guidelines and inform us how you can adhere to them. They’ve probably the most current details about PCI compliance, so visit their website to find out more. Remember, their coverage is altering regularly, so make sure to stay updated. Clearly, the most crucial page for you personally will probably be their “Merchants” page.

What’s PCI DSS?

PCI DSS means Payment Card Industry Data Security Standard. They are standards set through the PCI SSC that merchant’s are needed to follow along with, to be able to remain compliant.

How to start

Most likely it’s not necessary time to become PCI expert, therefore if I had been you, I’d watch this PCI rock video, look at this Quick Reference Guide, and stop hunting. The recording will expose you to the entire PCI DSS stuff, and also the guide provides you with enough info to consider on how to proceed next.

This PCI for Dummies ebook by Qualys can also be worth a read.

What’s Your Merchant Risk Level?

When I pointed out above, PCI needs vary according to what your risk level is really as a company. Click the link to discover what risk level your company is.

Following a 12-Step Program for PCI DSS Compliance

The key to the PCI DSS compliance program would be the 12-needs as outlined within the Quick Reference Guide. Understand these, and you will be on the right path to understanding PCI compliance.

  1. Install and keep a firewall configuration to safeguard cardholder data.
  2. Don’t use vendor-provided defaults for system passwords along with other security parameters.
  3. Safeguard stored cardholder data.
  4. Secure transmission of cardholder data across open, public systems.
  5. Use and frequently update anti-virus software or programs.
  6. Develop and keep secure systems and applications.
  7. Restrict use of cardholder data by business have to know.
  8. Assign a distinctive ID to every person with computer access.
  9. Restrict physical use of cardholder data.
  10. Track and monitor all use of network sources and cardholder data.
  11. Regularly test home security systems and procedures.
  12. Conserve a policy that addresses information to safeguard all personnel.

Self-Assessment Questionnaire (SAQ)

As you’ll learn within the Quick Reference Guide, the Self-Assessment Questionnaire (SAQ) is an easy and quick method for retailers (business proprietors) to find out what of the aforementioned needs they have to adhere to.

Everyone needs to accept SAQ, so you may too go now. Remember to see the instructions first.

While using Right Equipment for PCI Compliance

Ends up you need to be utilising the best kind of terminal/equipment if you are considering being compliant. Make use of this internet search engine to determine if your devices are certified. Otherwise, you most likely need to upgrade.

Generally, whenever you join a brand new credit card merchant account, your provider provides you with up-to-date and compliant equipment.

Small Retailers

If you are a little merchant that does not store anyone’s charge card information, consider yourself lucky! Besides a few minor tasks, your obligations will be minimal. Read this link to find out more.

Conclusion

Very little more to state here. Browse the above, stick to the links, browse the documents I’ve referenced, and you will be all right. Don’t panic within the complexity from it all. It need not be too hard.

Tell me for those who have questions regarding PCI DSS compliance.

“”

PCI Compliance Charges: What They’re, and How To Handle Them

pci-compliance-feeHave you ever observed a PCI compliance fee in your statement recently? Need to know what it’s for? Need to know if it is legit? Need to know how you can eliminate it? Then, keep reading…

Previously year, I’ve had a number of retailers ask me relating to this new PCI Compliance fee that’s been appearing on their own statements. It sometimes comes by means of a yearly fee ($99+/year), along with other occasions it’s really a fee every month ($19.95/month). In certain rare cases, you may be seeing both a yearly fee along with a fee every month.

For retailers that do not understand PCI compliance, the PCI compliance fee appears like yet another garbage fee tacked on by their processor to earn them much more profit. The reality, however, is somewhere in the centre.

There is a great two part series on GreenSheet.com which i recommend you read (here’s part 1, and part 2). GreenSheet.com is definitely an “insider” website for that charge card processing industry. It’s what your processor/provider, as well as their sales people read regularly. It is also an excellent way to find out about the business using their perspective. Should you browse the two part article, you’ll most likely understand much more about this PCI compliance fee then about 90% of the peers.

The title of this Eco-friendly Sheet article is “What will a merchant have for a PCI fee?” That real question is the best inquiry that retailers ought to be asking using their charge card processor.

Which kind of products or services are you currently barely making it having to pay this extra fee?

Since there’s a lot misinformation around PCI compliance, the sphere is ripe for illegitimate charges. You shouldn’t be among individuals business proprietors that will get billed without receiving anything of worth in exchange.

What are the potential products or services that the provider may be offering to acquire stated charges? Let’s review them below…

Non-compliance
The non-compliance fee is fairly self-explanatory. Your processor bills you a regular monthly fee because of not being compliant using the PCI DSS standards. The charge usually varies from $5 to $19.95, with a few processors charging around $30 monthly. It offers no value, and just works as a blunt indication that the processor does not have any kind of proof that you’re compliant.

In the Eco-friendly Sheet article…

How about individuals charging a ‘noncompliance fee’? Does this means that the [merchant] customer isn’t PCI compliant, and rather to be [introduced] to compliance or shut lower they obtain a free pass as lengthy because they pay $xx.xx/month? “Sounds just like a cop supplying tickets to drunk motorists rather of taking them in.

This kind of PCI fee can and really should remove easily by becoming compliant. Ask your processor exactly what you ought to do in order to become compliant, then…become compliant. There isn’t any reason they must be charging a “non-compliance” fee for those who have taken all of the steps to obtain compliant. When they continue charging a non-compliance fee despite you’ve met their needs, then it’s time for you to switch to a different processor.

Data Breach Insurance
Some processors offer “Data Breach” insurance for their retailers for any monthly/annual fee. This is valuable when the insurance was foolproof, but it isn’t..

Why is this subject so polarizing may be the magnitude of liability and also the uncertainty regarding who ultimately owns the liability. To wit, when an ISO or acquirer assesses a regular monthly PCI fee which includes insurance, who’s liable if, following a breach, the insurer declines the claim?

So, the bottom line is, you’re having to pay a regular monthly fee for insurance that might or might not cover you in case of an information breach? The straightforward proven fact that some insurance company can “decline the claim” ought to be sufficient cause that you should be hesitant of information breach insurance.

If you are being billed for data breach insurance, you need to ask your processor for the details or terms. If you are unhappy using the terms, or perhaps your processor doesn’t provide these to you, then start searching for any new processor

Compliance Support
This is actually the most legitimate of all of the charges billed, and it is usually by means of a yearly fee. In case your processor is frequently contacting you, assisting you, educating you, and providing you checking services, they have every to ask you for a compliance fee, because they’re providing you something in exchange. However , very few processors endure their finish from the bargain, but still ask you for this annual fee. In addition to this is the fact that more often than not, your processor will overcharge you for services you could have for less, should you just required time to discover PCI compliance yourself.

In certain markets, the individual with increased information normally has top of the-hands. PCI compliance is really a market where education takes care of. Even if you need to spend an entire weekend researching these items, you will be far better off your less informed counterparts. You’ll most likely finish up having to pay less in PCI charges too.

“”

Figuring out Your Merchant Risk Level for PCI Compliance

PCI merchant levelsBoth VISA and MasterCard have produced a structure for figuring out the danger degree of a merchant. The greater transactions you process, the greater risk you pose towards the two charge card organizations. To be able to maintain some kind of order within PCI compliance, VISA and MasterCard have produced 4 risk levels which will affect any particular business.

Knowing which risk level you come under is essential due to the fact your credit card merchant account provider will need different documents/procedures for every level. Most retailers have no idea know very well what all these levels are, so before you submit the best documentation, you need to know very well what each level means, and which pertains to you.

Listed here are some PCI merchant levels and needs from VISA’s site. MasterCard’s levels/needs are nearly identical:

Level/Tier Merchant Criteria Validation Needs
Level 1 Retailers processing over six million Visa transactions yearly (all channels) or Global retailers recognized as Level 1 by Visa region.
  • Annual Set of Compliance (“ROC”) by Qualified Security Assessor (“QSA”) or internal auditor if signed by officer of the organization.
  • Quarterly network scan by Approved Scan Vendor (“ASV”).
  • Attestation of Compliance Form.
Level 2 Retailers processing a million to six million Visa transactions yearly (all channels).
Level 3 Retailers processing 20,000 to at least one million Visa e-commerce transactions yearly.
Level 4 Retailers processing under 20,000 Visa e-commerce transactions yearly and all sorts of other retailers processing as much as a million Visa transactions yearly.
  • Annual SAQ suggested.
  • Quarterly network scan by ASV if relevant.
  • Compliance validation needs set by acquirer.

As you can tell, the PCI compliance levels are pretty self-explanatory. I’ve highlighted Level 4 just because a large most of you’ll come under this risk level. So, next time your provider or processor informs you that you’re an amount 4 merchant, you’ll know precisely what they’re speaking about.

“”

The Fast Help guide to PCI DSS Compliance for Small Retailers (Level 4)

pci compliance for small businessA sizable most of companies within the U.S. are thought medium and small sized companies (SMBs). Most SMBs don’t process anymore than 20,000-1,000,000 (some significantly less) transactions each year, categorizing them as Level 4 retailers within the PCI world.

For individuals individuals which have read my article on merchant risk levels, you’ll realize that Level 4 may be the cheapest tier, thus requiring minimal work load for compliance. It is also probably the most vulnerable tier for hackers….go figure.

Within this guide, I will take you step-by-step through what you ought to do in order to become compliant and also the basics of small merchant PCI compliance. I attempted to help keep it as little as possible, although not confident that I been successful. 🙂

For Retail (Card-Present) Retailers

Scan The Body
Most charge card processors require proof that you’ve scanned the body for security threats, otherwise they’ll ask you for a regular monthly PCI non-compliance fee. So, make certain you comply with the other steps below, then get scanned when you are ready for this. I’ve partnered with Trust Guard, so I’m clearly likely to recommend that you will get the body scanned by them, but it’s your call. There are many others available that provide checking services. From what I have seen, Trust Guard is pretty legit though.

Go ahead and take Self-Assessment Questionnaire (SAQ)
I discuss the SAQ within my other PCI article, but because a short overview, the self-assessment questionnaire provides you with a fundamental concept of what needs you have to follow in order to be PCI compliant. The SAQ will most likely reiterate exactly what I’m suggesting now, however that doesn’t mean that you could skip it. Similar to the system scan, most processors require that you simply go ahead and take questionnaire, otherwise they’ll assess a non-compliance fee.

Now, adopt these measures:

1. Only use PCI approved PIN transaction security devices (i.e. PIN pads).
By “device” I am talking about PIN pads and charge card terminals. Visit here to find out if your present system is compliant. Otherwise, it’s time for you to upgrade.

2. Only use PCI validated POS (Point-of-Purchase) & payment gateway software.
Visit here to find out if your present software programs are validated. Otherwise, it’s certainly time for you to upgrade. Here’s the right place to locate POS hardware/software, and every one of my best charge card processors offer payment gateways which are PCI compliant.

3. Don’t store any sensitive cardholder data.
As a small company, it’s very easy to ignore that. I recall writing lower charge card information on a notepad later on reference, without realizing how large of the security risk that really was. So, whether in writing or perhaps your hard disk, don’t store any cardholder data. If you are worried that perhaps your charge card terminal or PIN pad is storing card data, just bear in mind that newer equipment either doesn’t keep data, or encrypts it. So, in case your devices are PCI compliant, you will want not worry.

4. Make use of a firewall in your network and Computers.
This one’s pretty easy. Most os’s include some kind of security package with a firewall. Just make certain that you simply regularly determine if it is working, and also you update it if required. Should you not possess a firewall, Norton is fairly good.

5. Make certain your router is password-protected and uses file encryption.
Another easy one. Your router’s instructions will take you step-by-step through the entire process of password protecting and encrypting the router.

6. Use strong passwords. Make sure to change default passwords,
This can be a no-brainer. I personally use password generator to make me some fast and secure passwords. Never make use of the default password for just about any software or hardware.

7. Regularly check PIN entry devices and Computers to make certain nobody has installed rogue software or “skimming” devices.
This is when the machine network scan is useful. Your average person doesn’t really understand how to look for this sort of stuff, so using a company like Trust Guard, you can easily depend on their own expertise.

8. Educate the employees about security and protecting cardholder data.
Don’t get lazy about this one. I’ve got a couple of articles within my PCI Compliance category, so that you can refer the employees for them. You might also need lots of sources when you need it so remember to apply your favorite internet search engine.

For eCommerce (Card-Not-Present) Retailers

Follow each step within the list above (expect for #1. You clearly won’t possess a PIN pad or charge card terminal if you are strictly eCommerce.), and also the following:

Have an SSL Certificate
An SSL certificate helps to ensure that any sensitive data transmitted through your site is encrypted in order to safeguard that data. An apparent place that you’d make use of an SSL could be on the payment page during checkout. There’s a lot of SSL vendors available, but when you’re getting the body scan at Trust Guard, you very well may too get your SSL with them also. 😉

One factor that I’d like to indicate is the fact that a there’s a couple of payment gateways available that may alleviate your PCI needs almost completely. The actual way it works is they possess a feature that enables you to definitely conduct the whole transaction around the providers own servers, not yours. This way, your personal network isn’t even active in the transaction, thus absolving you against the necessity to conserve a secure network. Check out the CDGcommerce instant PCI page to determine what i’m saying. They perform a better job of explaining it than me.

In Conclusion

You may also go to the Small Retailers page around the PCI Security Standards Council website for more information on PCI compliance for small company.

“”

Is The POS System Secure?

Neptune Holding Trident Shield RetroBe careful, retailers: Dubbed “PoSeidon” by ‘cisco’ Security Solutions, this adware and spyware is really a new kind of trojan viruses that particularly targets POS (reason for purchase) systems, nabbing the charge card information of the unsuspecting customers.

‘cisco’ mentioned inside a March 2015 are convinced that POS adware and spyware attacks are rising, affecting companies both small and big. One particualr recent high-profile PoS charge card data breach may be the BlackPOS adware and spyware strain, which uncovered greater than 40 freaking million Target customers’ debit and charge card information in 2013.

Concerned? You ought to be, while you could ultimately take place responsible for the thievery of the customers’ data when your POS system become infected. Continue reading to learn to safeguard your company in the PoSeidon virus, and the way to minimize your chance of POS system data breach generally.

The PoSeidon Point-of-Purchase Virus

During card-present payment processing, sensitive charge card information will come in plain text within the memory from the POS system. Like the majority of point-of-purchase trojans, PoSeidon utilizes a technique referred to as “memory scraping,” checking the RAM of infected POS terminals to locate these unencrypted strings that match charge card information.

Once this post is retrieved, it’s offered to dubious cybercriminals who might, say, encode it right into a magnetic stripe and employ it with a brand new card.

Senior technical leader for Cisco’s Talos Security Intelligence and Research Group Craig Johnson told SCMagazine.com that PoSeidon sticks out using their company similar POS adware and spyware in that it’s self-updatable.

Furthermore, states Johnson, “It has interesting evasions using the mixture of XOR, Base64, etc., and contains direct communication using the exfiltration servers, instead of common PoS adware and spyware, which logs and stores for future exfiltration from another system.”

OK, so do you not worry — you do not really should understand exactly what guy just stated. The takeaway here’s that PoSeidon is much more sophisticated than previous POS adware and spyware programs. Though PoSeidon isn’t the be-all, finish-all POS adware and spyware, this lucrative kind of crime isn’t disappearing, either. After PoSeidon, the following, smarter incarnation of POS bug will certainly seem to take its place.

PCI Security Standards

Fortunately, there’s something that you can do to safeguard your POS system from data breaches, and one of these simple involves something known as PCI compliance. Being PCI-compliant doesn’t cause you to impervious to attacks like PoSeidon, however it helps.

PCI DSS means Payment Card Industry Data Security Standard. They are standards set through the PCI Security Standards Council, and retailers are needed to follow along with them to be able to remain compliant.

You’ll have to find information about exactly what you ought to do in order to remain PCI complaint based on your particular kind of business (for instance, it’s much simpler to become PCI-complaint like a small e-commerce site versus. like a brick-and-mortar store), but basically, the factors need you to do all you are able to safeguard the cardholder data you process. One factor every merchant can perform is use PCI-complaint terminal equipment.

Take a look at our blog publish on PCI compliance to obtain the online sources you have to make certain your company is complaint with PCI standards.

How Cloud-Based POS Software Might Help

Another essential action retailers may take to secure their customers’ data against security breaches — most likely the most significant factor — can be used cloud-based POS software.

With cloud-based POS software, the credit card data and customer information is taken off both hands entirely —  this sensitive information is stored encrypted within the cloud, instead of your POS system. This will make an information breach a lot more difficult, and virtually impossible utilizing a PoSeidon-type virus.

Cloud-based POS software also enables the machine to remain up-to-date easier, which further helps safeguard you against new adware and spyware along with other issues. And contains a lot of other benefits, for example allowing the company owner to log to the cloud POS system remotely.

For any good overview around the cope with cloud-based POS software, take a look at our very readable article about them.

How Can Nick Cards Impact Data Security?

EMV nick or “chip card” technology adds another layer of information security. Also known as “smart cards,” they are credit/an atm card keep cardholder’s data on the micro-processor nick as opposed to a magnetic strip.

Very few US retailers accept nick cards at the moment, however this will probably change, like a new law regarding nick card fraud liability adopts effect in October 2015 (more about that here).

What exactly do nick cards relate to data security? Welp, they’ve dynamic (altering) card information rather of merely one string of figures, making replicating them a lot more difficult. When they won’t prevent data thievery, they’ll allow it to be so the stolen data itself cannot easily be employed to make counterfeit cards and fraudulent transactions.

So, you do not always have to improve your terminals to update nick cards right this second, but EMV nick transactions are inherently safer than non nick-outfitted debit or credit cards (a minimum of, with regards to card-present transactions). Because the technology gets to be more popular, it will likely be to your advantage like a merchant to simply accept nick card payments and therefore lower your fraud liability risk.

Conclusion

The PoSeidon virus demonstrates the significance of data to safeguard all companies, on the internet and off. Because the technology utilized by data thieves is constantly on the advance, also must merchants’ POS systems. Brick-and-mortar companies frequently think that they’re not in danger of data breaches, but Target, Lowe’s, Kmart, along with other large and small retailers have discovered hard way precisely how vulnerable they’re.

With regards to protecting your company from data breaches, getting an up-to-date POS product is important. Utilizing a cloud-based system, maintaining PCI compliance, and getting ready to accept nick cards when it’s time will help mitigate this risk.

To help you get headed within the right direction, check out the most popular cloud-based POS systems.

Shannon Vissers

Shannon is really a freelance author and editor located in North Park, CA. Shannon type of wants an apple iphone 7, but she’s not necessarily prepared to lose the headphone jack.

Shannon Vissers
Shannon Vissers

“”