Feb 27, 2013

PCI Compliance – Why Merchants Need To Take It Seriously – Part I

Having a merchant account comes with responsibility.  While a merchant may be concerned with revenue and how to grow its business, payment card industry (PCI) compliance should be at the top of the list as well.  The main purpose of PCI compliance is data security, which applies to any party involved in processing credit card transactions.  Not following the rules – or practicing risky activities – can result in card association fines and can also put a merchant account in jeopardy of being terminated – not to mention data breaches that may occur.  A merchant account termination can be detrimental to any business accepting credit cards – especially if they operate purely online.

The Importance of PCI Compliance

According to Privacy Rights Clearinghouse.org, more than 346 million records with sensitive information have been breached since January 2005.  According to the Ponemon Institute’s annual study, the cost of a data breach was $204 per compromised customer record for 2009.  The data, obtained from 45 companies that publicly acknowledged – and were willing to discuss – a breach of sensitive customer information.  The study also revealed that the average total cost of a data breach was $6.75 million in 2009.

Most laws involving credit card fraud and data security breaches target the criminals who conduct the breaches and obtain the card data.  Although, state attorney offices have investigated and filed suits against companies who were found to be non-compliant during a data breach.  In an effort to stay ahead of the curve, the only way the card associations are able to enforce the security standards is to penalize those who do not comply and/or jeopardize data protection.

The Payment Card Industry Data Security Standard (PCI DSS) applies to any organization or merchant that accepts, transmits or stores any cardholder data.  The PCI DSS was created in 2004 by the PCI Security Standards Council (SSC), which include the major card brands – otherwise known as associations – American Express, Discover, JCB, MasterCard, and Visa.  Each card association stipulates that the PCI DSS, in addition to the individual association guidelines, must be followed in order to be fully compliant.  Achieving PCI compliance means that you have met the technical requirements of the PCI DSS.

Consequences of Non-Compliance

Non-compliance can result in fines or other actions by the card associations.  Even though the PCI SSC managed the PCI DSS, any fines levied for non-compliance are done so by the card associations, not by the security council.  The card associations usually fine the acquirer under which the non-compliant merchant processes transactions.  The acquirer then passes the fine onto the merchant, ISO or third-party.  However, a merchant can be fined or terminated directly by the card association.

“T.J. Maxx agreed to pay as much as $40.9 million in a settlement with Visa.”

The amount of the fines and fees are dependent upon the type of activity.  A breach of data would cost a merchant a lot more than if they were discovered to be non-compliant with no data breach.  For example, in the largest data breach thus far, T.J. Maxx (TJX) agreed in November, 2007, to pay as much as $40.9 million in a settlement with Visa and the bank that processes the company’s credit card payments, as a result of a massive data breach, discovered in 2006, of TJX’s customer records.  (TJX admitted to 45.7 million compromised records, but court filings by the banks suing TJX estimate that about 100 million cards were affected.)  The settlement funds were reported to be used to help the U.S. credit card issuers (i.e. banks) recover costs related to the breach.  Last year, they agreed to pay $9.75 million to settle investigations by 41 state attorney generals.  That settlement was the sixth one that TJX announced regarding the breach.  Visa originally fined Fifth Third, TJX’s acquiring bank, close to $900,000 for non-compliance.  $500,000 was assessed “due to the seriousness of this security incident and the impact on the Visa system,” according to a Boston Globe report. $380,000 was assessed for “TJX’s failure to cease storing prohibited data.”

Visa announced, following the TJX breach, that it began fining level one merchants (6M + transactions annually) $25,000 per month if they fail to comply with the PCI DSS.  Although this information is relative to the largest data breach in U.S. history, merchants of every level should take these actions very seriously to avoid risking loss of data, not to mention customer confidence.

How Does Account Termination Affect A Merchant?

So, your processor terminated your account.  You may ask, “What’s the big deal?  I will just get a new merchant account elsewhere.”  Well, it’s not as easy as it sounds.  A merchant who has been terminated is put on MATCH, more or less known as a blacklist in the credit card processing industry.  Formerly known as the TMF (Terminated Match File), the MATCH (Member Alert to Control High-Risk) list is a file of merchants who have been terminated for “cause”.  Reasons include activities such as fraud or excessive chargebacks.  (See a previous blog on this subject here.)  The list is used primarily by acquirers to assess the risk of a business when it applies for a merchant account.  It is tied to MasterCard and Visa, so all acquirers check the MATCH file against any new merchants who apply for an account.  (It’s rare, with the exception of Costco for instance, for a merchant to accept other cards but not MasterCard and Visa.)  A MATCH listing includes the company name and principal names of the company, but a company’s inclusion on the list does not mean it, or its principals, would be prohibited from obtaining a merchant account again.  Acquirers use the MATCH file as an informational tool and will usually base a merchant application approval or denial on a complete investigation.  Once a merchant is on the MATCH list, it is almost impossible for them to removed, but it can be done.

Stay tuned for Part II, which will discuss who is really responsible for PCI compliance, working with third party service providers and how to avoid fines, MATCH and account termination.

Feb 18, 2010

Post Transaction Marketing: Is It Worth The Risk For E-commerce Merchants?

In the first half of 2009, e-commerce revenue amounted to approximately $64 billion of all retail sales in the U.S., according the U.S. Census Bureau. While e-commerce sales dropped from the same period in 2008, the percentage of total retail sales increased slightly from 3.3 to 3.5 percent. What this shows is that more consumers are finding confidence in online shopping. This is good news for online merchants. However, the rapid growth of e-commerce has created tons of new sales opportunities, including aggressive direct marketing companies who have found ways to target online shoppers.

By forging relationships with well-known companies who have a substantial online presence and customer base, direct marketing companies are selling club memberships, which incur monthly fees, to online shoppers at checkout. Unfortunately, not all of the online shoppers are aware that they purchase these memberships. The memberships, masked by offers such as cash back rewards, future purchase discounts or free magazine subscriptions, are frequently tied to trusted web sites. Shoppers only discovered they were enrolled in the clubs after finding unauthorized charges, ranging from $9 to $20, on their credit card statements – sometimes after they had been charged these fees for a few months.

“The memberships, masked by offers such as cash back rewards, future purchase discounts or free magazine subscriptions, are frequently tied to trusted web sites. “

After discovering and investigating these unauthorized charges, most online shoppers found the club enrollment process deceptive and misleading. What is angering cardholders most is that their credit card information was passed on to third parties without their consent. Unfortunately, the consent was hidden in the small print (they likely did not read) when they accepted the online offer.

High volumes of consumer complaints to the Better Business Bureau, state attorney generals and consumer advocate groups about these controversial sales tactics prompted an investigation by the U.S. Senate Committee on Commerce, Science, and Transportation, chaired by Senator John D. (Jay) Rockefeller (D-WV). The investigation, launched in May, 2009, researched three Connecticut-based direct marketing companies – Webloyalty, Affinion and Vertrue – their online retail partners and the web sites which sell club memberships to online shoppers. Their findings thus far were published on November 16, 2009.

Some of their findings discovered:

These business practices have created over $1.4 billion in revenue from online consumers
More than 450 e-commerce sites have partnered with Webloyalty, Affinion and Vertrue
E-commerce companies who partner with these direct marketers also share in revenues from these memberships
88 e-commerce companies have earned more than $1 million of the $1.4 billion in revenue
Since 1999, online shoppers have been enrolled in more than 35 million memberships
A majority of consumers contact the call centers for the 3 leading direct marketing companies to question the unauthorized charge on their cards and subsequently request cancellations

These offers are called “post-transaction” because they appear after online shoppers enter their billing information but before a transaction is confirmed. Misleading “yes” and “no” buttons cause consumers to think they are completing the original transaction, but instead they are entering into a separate financial purchase. If the shopper accepts the offer, the billing information is passed on to the third party who manages the monthly memberships. These offers have been found on well-known – and trusted – sites such as Expedia, Orbitz, Priceline, Hotels.com, Fandango, Buy.com, and Classmates.com (who reported more than $70 million in revenue from the memberships).

In an interview with MSNBC, Webloyalty CEO Rick Fernandez stated that Webloyalty made sure the terms and conditions were clear to online shoppers in the post transaction process. However, online consumers who have been enrolled in the club memberships without their knowledge don’t agree. These marketing and sales practices are causing negative effects on e-commerce and tarnishing consumer loyalty in the web sites and companies who employ these marketing practices. Complaints from online shoppers, and now the release of the Senate report, are forcing e-commerce companies to revise these marketing tactics towards a more conservative approach – or to end the partnerships with these firms all together. Affinion claims that the activities in the Senate report describe Webloyalty’s practices and claims that Affinion has changed their business practice but did not describe what changes were made. Vertrue, also known as Adaptive Marketing LLC, stated that they are “strengthening” its practices to provide consumers with “clear, conspicuous and repeated disclosure” of their terms and conditions.

Online merchants should consider the effects of similar marketing and sales tactics before deploying them. Online shoppers prefer to shop with merchants they can trust – a strong influence contributing to online shopping behavior and consumer loyalty.