Merchant Account Alerts

A long time ago I wrote an article about credit card skimming. It remains the most visited page on this blog, I believe, because credit card skimming is one of those concerns that apply to both consumers and to businesses.

About a year ago one of the founders of Twitter and some other talented business persons came up with a mobile payment method called square. Square is a very tiny card reader that attaches to the audio port on a smart phone. It’s truly a clever little device that utilizes an existing port that just about every phone has. Merchant’s can sign up with Square without any fee and just about instantly process. Because of the ease of setup, there’s been some angry customers with money held, but something like this should be expected as the services operates on a similar model to Paypal. Square got some quick funding, and went off to the races faster than any payment related service in history. However, there’s a problem…

Unfortunately, Square also introduced one of the most efficient and low cost methods of creating an advanced credit card skimmer. When you sign up with Square’s processing service, you get the square for FREE. That’s right, for free you can turn your iPhone into a credit card skimming device. Thieves don’t even have to pay the $50 or so for a skimmer anymore, they get one for free. Not only is Square efficient and free, but they’ve already distributed hundreds of thousands of these little skimming nightmares all over the US.

A criminal signs up with Square, obtains the dongle for free and creates a fake Square app on his smartphone. Insert the dongle into the audio jack of a smartphone or iPad, and you’ve got a mobile skimming device that fits in your pocket and that can be used to illegally collect personal and financial data from the magnetic stripe of a payment card. It’s shockingly simple.

There are 2 major problem with the Square hardware.

First, the square device does not encrypt data being transmitted between the reader and the phone. This could easily leave the service open to a targeted attack where other software could read the card information when it is being transmitted between the reader and the phone. This sort of issue may never be a major problem as it would take very specific software or a compromised phone for this flaw to be taken advantage of. However, it still remains a security possibility, one that cannot be overcome without updating the hardware completely.

Second, since the hardware has no encryption or secure link between it and the phone/square service, a programmer could easily write a program that would simply record the card information onto a database or file on the phone. This is the main problem that Verifone and many others are up in arms about. With the large memory cards that are commonly found in phones, a thief could theoretically store millions of card numbers on their phone. Additionally, since just about everyone has a cell phone, it is considerably less conspicuous for a thief to skim cards with a phone than with the dedicated skimmers which look something between a pager or a magnetic card reader you would see attached to a computer.

This morning, VeriFone launched an entire website dedicated towards bringing down square. While VeriFone is a direct and probably the largest competitor of Square with their PayWare Mobile App, they have quickly illustrated not only that the square can be used for skimming, but that there is software that can already be used with the square hardware.

The problem now is that there are tons of these square credit cards readers all over the place, so the damage has already been done. At this point there’s literally nothing that can be done to prevent skimming using square devices. There’s even applications for blackberry and android that already work with the square hardware even though it was designed for the iPhone and iPad. I think that this sort of hardware is a perfect example of what happens when a company pushes software or hardware without putting enough in the research in how to make it secure. There’s more than 1 way to steal a credit card number…

With the amount of focus on PCI and data security of the last 10 years this is a blatant disregard for the most basic best practices, even those established 10 years ago. Twitter may be a whimsical concept, but there’s really nothing amusing about completely botching credit card data security at the expense of consumers and the businesses whom accept those stolen cards…

Update 03-10-2011

So, Jack Dorsey issued a rebuttal to VeriFone‘s website and statements about the Square.

Second, as Dorsey points out, credit card fraud is not new. Every single time you hand over your credit card to someone (whether it is a merchant using Square, or any one of the dozens of other credit card input methods) you are trusting them not to steal it. Criminals steal credit card numbers all the time, both online and offline. But it happens, and when it does, consumers are not liable for fraudulent charges, the credit card companies are.

What’s not fair or accurate is Jack Dorsey’s fundamental lack of understanding of how the credit card industry works! Any merchant knows that if they accept a credit card that was stolen, they are liable for the fraudulent charges. There’s no magical credit card company that’s going to float in and take responsibility for it. The merchant loses when it comes to credit card fraud, plain and simple.

This disregard to merchants all while Square is trying to sell them a processing service is simply insulting. I’m a merchant as well, and this is just disrespectful.

After reading this, I am completely convinced that Jack Dorsey and Square have no business providing a payment service of any type to anyone. Stick to tweeting…

Chase just release information that they are considering capping all debit transactions to $50 maximum.

This is in response to the $.12 debit card interchange regulation battle that is waging between banks and retailers. I will refrain from commenting on the debit card regulation at this point. I’ve made my views and concerns known to the federal reserve board. What I will end with is that the entire debit and credit regulation concept is far more complicated that many would like to believe. It cannot be simply capped without major repercussions perhaps large enough to hurt the entire US and world economies. Something as important as this should not be attached to major bills and should be voted on separately as this specific regulation was not.

Friendly fraud is one of the most frustrating expenses a business owner will ever deal with. Friendly fraud is when a customer utilizes the credit card chargeback system to get a refund on a completely legitimate and honest purchase. It most often occurs in online business as it is very difficult for a business to win chargebacks, especially chargeback codes 53 and 4853, item not as described. “Item not as described” is such an ambiguous reason that a customer can request a chargeback, it’s simply unfair and often abused.

Traditionally, merchants receive zero benefit-of-the-doubt from card issuers when it comes to chargebacks, mainly because issuers make much more money from their card holding customers than from the merchants that accept them.

MSN’s red tape chronicles recently outlined a changing landscape for cardholders that stands to greatly benefit merchants. Banks are finally starting to crack down on friendly fraud type chargebacks. Banks aren’t doing it specifically for the benefit of merchants, as they found that customers whom initiate a large number of possible friendly fraud chargebacks are also those often in financial trouble, it will nevertheless benefit merchants.

In a recent survey, it was found that more than 1/5 of fraud loses come from friendly fraud scenarios. Reducing fraud loses by even 5% overall would be a huge achievement, and would account for almost $7 billion dollars per year in recovered revenue for merchants.

It just goes to show that US government anti-trust regulations do not apply to B2B organizations!

Verifone just acquired Hypercom corporation. This effectively removes all legitimate competition from the US credit card terminal market. Verifone’s own products have suffered a decline in reliability and quality starting 5 or 6 years ago, so naturally Verifone began purchasing competitors. They started with wireless leader Lipman, and then acquired Way Systems, and now have taken down the last barrier, Hypercom. Verifone stated that this acquisition was to expand their presence in the European market, but make no mistake it removed their last competition from the US market completely.

I don’t want to forget Ingenico whom is one of the worlds largest terminal manufacturers, however they are a mere drop in the bucket in the US and sell almost exclusively to large chains and direct placement deals that normal mom and pop merchants will never see.

I’m personally appalled that the government allowed this transaction to take place. On the bright side, if Verifone cannot produce a higher quality product, there’s several smaller manufacturers that are already gaining serious ground, most notably Dejavoo, ready to replace Hypercom. This will provide the perfect avenue for Dejavoo and others to become much larger terminal brands (until Verifone purchases them of course). Dejavoo’s product is far superior to Verifone or Hypercom and is cheaper than either.

I’m seriously holding back words on writing this. The impact of this on the credit card terminal industry would be comparable to Walmart purchasing Target or Microsoft purchasing Apple. This sort of acquisition is the reason that anti-trust laws exist. It’s unfortunate that the government’s priorities are so far removed from the B2B industries of the country.

Small retail businesses and restaurants are often faced with a tough decision when it comes to their method of customer checkout and the processing of customer credit cards. There are essentially 2 methods that can be used to ring up, and accept payments from customers. The first is the traditional cash register and credit card terminal, and the second is the all-in-one point-of-sale (POS) system. Many times a business owner will jump toward either side without fully understanding their business and their unique requirements.

Why use a POS system?

POS systems can greatly increase a business’s operational efficiency. They allow fast checkout at the counter, and can be used to manage inventory, priced, sales, and everything else a retail business would need with respect to the checkout process. Many of the more advanced models can integrate with a database that also controls an ecommerce website for unified inventory and ordering control. They can be self contained units, with an attached credit card reader and printer, which can make for a much cleaner and more organized counter-top. For restaurants, a POS system holds the entire menu, and often uses a fast touch-screen interface. This can reduce wait staff / kitchen errors, add and calculate gratuity, and make the entire payment process significantly smoother. POS systems can save lost sales and handle sales better than the fastest cash register operator. POS systems can truly alter the speed and efficiency that a business operates.

Why not use a POS system?

The point of this article is not to discredit POS systems, as they are absolutely essential for many retail businesses. It is rather to get business owners to look at every aspect of the system before making their decision. This will hopefully relieve some of the upgrade and support shock that is commonly experienced with POS systems down the road.

Cost, cost, cost…

The increased convenience that comes with a POS system often comes at a very high price. Not to say this price is never offset by increased sales and customer satisfaction, but there are real costs in purchasing and owning a POS system. First, there’s the actual monetary price to purchase or lease a POS system which is can be very high, up to $5000 per checkout lane in some cases. There’s often additional fees for each transaction you process because the POS system has to use special connections with processing networks. There’s the cost of programming and maintaining the POS system. The initial setup is usually done by a supporting company that comes on-site to install the system. However, just like a computer network, there must be someone on-staff or on-call or on-contract that can manage the POS system. Managing a POS would include making changes to prices, adding inventory, training, etc., but also includes managing the system in case of errors, power failure, hardware failures, and every other failure scenario a computer, credit card terminal and computer network might run into. If the business owner or manager is not technically-savvy, which is commonplace, it means hiring a person or company to manage the system.

Whether you are going to do it yourself, hire a dedicated employee, or hire a support company to manage and maintain your system, make sure you understand the potential costs and the potential pitfalls of every method.

Upgrades

The upgrades that POS systems require are not always free or even cheap. When you purchase a POS system, it usually comes with a support contract. Depending on the support contract, it may include updates for the life of the POS system, or it may not include major updates, or may not include updates past a certain time period, or may not include any updates at all. It may not include adding new peripherals to the system. You need to add a second bar code scanner? $500 please!

When security regulations change, or when a bug or flaw in the system is discovered and the whole application needs an overhaul, you may end up shelling out a few thousand dollars per lane for upgrades that you have no choice in installing! If you decide to change credit card processors, I’ve seen multi-thousand dollar fees just to update the system with the new credit card processors information.

The point is, POS systems have costs that go well beyond the initial purchase of the system. Make sure you understand all setup costs, upgrade terms and costs, adding or changing peripherals, adding or changing credit card processors, and any other recurring or unanticipated fees that might be required in the future.

Security

PCI-DSS is a constantly evolving guideline for security, and POS systems are often at the sharp end of the regulations. When business owners purchase a POS system, they often assume that the provider is responsible for the security of the system. What we have found in the past 2 years is that this is often not the case, or at least not entirely the case. Even if you have no idea how to manage a POS system, let alone make sure it is secure, you may be responsible and fully liable in the event that someone steals data from your company. Security should be the #1 factor in your decision to purchase a POS system, even before making sure it has all of the features that you need. Neither consumers nor card issuers give a pass for ignorance. Do your homework and make sure that the system is secure now (and PCI compliant) and will be secure, or at least able to upgrade as security policies change, over the next 10 years. Also make sure you understand whom is responsible for the security of the system, most likely it will be you.

Proprietary

Some of the POS systems out there have requirements to process with them or with a certain company. While this can work for some businesses, I am always against merchants being tied down to any single provider. If you’re using a proprietary POS system, and your credit card processor is terrible or is ripping you off, it doesn’t matter. You’ve already made the huge investment in money, time, and training, and you’re not going anywhere. The POS provider and the credit card processor know this as well. If you use a product or service that has effectively eliminated competition due to contractual obligations and / or proprietary equipment, expect them to act that way!

Overkill

The final reason not to use a POS system, is that is it simply overkill for many businesses. Because the price for a POS system requires a great deal of thought and money for a business owner, it’s not common that I see businesses with a POS system that don’t need one, but it does happen. For very small retail and restaurants, a cash register and credit card terminal are often completely sufficient, and can save the business owner thousands of dollars and hours of headaches. Only you can decide this, but don’t chose a multi-thousand dollar POS system just because you think you need it. Don’t chose a credit card terminal just because you think you’ll never need a POS.

These are things that should be well understood before deciding on any method for checkout and payment processing. POS systems are one of the best ways to help a retail business, but if not understood or poorly planned, they can be the biggest money drain you ever experience.

Finally, always have a backup!

No matter what method you choose for your business, make sure you have a backup method of checking out customers and accepting payments. This could mean a calculator and a low cost credit card terminal for some, or just a manual imprinter for others. An outage of your POS system shouldn’t compromise your business.