If your merchant account is set up to accept only credit cards (i.e. you are on online merchant or you do not have the ability to accept PIN-based transactions), then the answer is simple – you can only accept credit card transactions at this time. If you accept POS (Point of Sale or in-person) transactions, you can offer your customers the option. That is, if your processing system is set up to accept PIN-based transactions. So, if you have that option – of offering debit or credit – what’s the difference you ask? Merchants have different motivators for their choice, as do cardholders. Each method goes through different transaction processing networks, so varying cost structures exist for merchants and issuing banks. The benefits and risks of each method also vary for all parties involved.

First, the only cards that provide this debit or credit option are debit cards with a credit card company logo – also called check cards or electronic checks. Online (not to be confused with ecommerce) debit transactions require a PIN authentication (like an ATM transaction) and are processed through debit networks (i.e., NYCE, CIRRUS). Offline debit transactions require a signature and are processed through card association networks (i.e. Visa or MasterCard). All transactions from a debit card are tied to the cardholder’s bank account.

The Bank Side

Card issuing banks earn most of the revenue when their cardholders use their cards, whether they are debit or credit. Some banks entice customers to use their check card by offering incentives, such as rewards and cash back. Most rewards programs require the consumer to use the credit/signature option, which enables the bank to collect interchange fees from the merchant, helping to offset the cost of the rewards. Acquiring banks also earn revenue when either the credit or debit option is used.

Overall, card issuing banks prefer PIN-based debit transactions, hands down. Even though they pay debit transaction fees, banks save money by not paying fees to the card associations.

The Consumer Side

Consumers like using debit cards mostly to avoid writing paper checks. Many brick and mortar retailers no longer accept checks and banks are following suit. Banks in the U.K. decided to phase out their check clearing process by 2018, citing cost savings.

As stated above, consumers can be enticed with rewards. With Bank of America’s ‘Keep the Change’ program, check card purchases (using the PIN or credit option) are rounded up to the next dollar and the difference is transferred into the account holder’s savings account. The bank then matches the transfer amounts up to $250 a year.

Using funds that already exist (i.e. in a checking account) for purchases instead of buying on credit also helps keep the cardholder out of future debt. The cash back option is free with debit purchases and the funds are also deducted immediately from the cardholder’s account – instead of a few days later for credit card purchases. For cardholders who monitor their bank accounts closely, this option is best for them. However, banks do charge fees for insufficient funds on debit transactions.

From a fraud perspective, PIN-based transactions are the most secure. However, cardholders are not protected from fraudulent debit transactions as they are with credit card transactions. If a thief uses a cardholder’s debit card and cleans out their bank account, the cardholder will likely not be able to recover those funds (aside from legal action). If a cardholder uses Verified by Visa, an optional service requiring a personal password, the cardholder is protected under the Fair Credit Billing Act when making purchases online.

By choosing the credit option, as with normal credit cards, cardholders also have the right to do a chargeback if there are issues with a return, fulfillment or satisfaction with a purchased product or service.

“…cardholders are protected under the Fair Credit Billing Act”

The Merchant Side

Merchants prefer PIN-based debit transactions for a few reasons. Debit network fees are lower, there is an instant guarantee of funds and funds settle faster into the merchant’s bank account.

Merchants, particularly ecommerce, like offline debit transactions since they are able to tap into consumers who receive prepaid debit cards or payroll cards, or are unable to obtain credit cards. For those consumers, card branded debit cards are the only option for electronic payments. Meanwhile, settlement takes a little longer with offline debit transactions, but usually only by a few days.

While consumers can often make larger purchases with credit, there is always the chance that the customer will do a chargeback. Unfortunately for merchants, chargebacks are allowed with offline debit cards, since transactions are processed through the credit card networks and cardholders are therefore protected under the Fair Credit Billing Act.

The Card Associations and Merchant Processors Side

Offline debit card transactions are processed through the card networks so the card associations, like Visa and MasterCard, prefer this option – for obvious reasons. Merchant processors earn revenue from either option, but there could be more revenue for them with offline debit transactions (depending in the pricing structure). For this reason, some processors fail to offer the PIN-based option to merchants. Sometimes it may be due to an inexperienced salesperson, or the processor not fully understanding the merchant’s processing abilities. While other times, the merchant processor does not even offer the option, hoping the merchant will be none the wiser.

Merchants’ Choice

What merchants do have is the choice to be able to offer PIN-based transactions (again, if their processing system is enabled to accept PIN-based debit) and thereby incurring lower processing fees. Some merchant processors don’t offer this option, so merchants may need to ask. PIN-based debit transaction fees are typically less than for credit card transactions, but PIN pad equipment is required. Hopefully soon, some form of PIN-based option will be available for ecommerce as well.

In the end however, if the option is there, it is still up to the consumer to choose. Even if a POS system defaults to debit or credit, a merchant cannot dictate which option the consumer is to use.

This blog refers to debit and credit transactions in the U.S. at this time. Fees and acceptance rules vary in other countries.

Test

In January, MasterCard made an effort to enforce new regulations and best practice guidelines pertaining to online direct marketing – specifically “negative option” marketing, which they consider to be a “brand damaging” practice.  The FTC Negative Option staff report, featuring five key marketing principles, triggered both Visa and MasterCard to make changes to their operating guidelines.

Operating Guideline Changes

Visa and MasterCard both instituted changes in their operating guidelines in response to consumer disputes about card not present transactions and direct response products and services.  MasterCard’s actions followed policy changes from Visa regarding descriptor formats and disclosure of corporate entities related to direct response offers.  While the changes concern online marketers and merchants, they also affect direct mail and telephone marketing businesses.

“Remember the Columbia Record Club?  They are a prime example of negative option marketing, which shows that it has been around a long time.“

MasterCard communicated their “Direct Marketing Best Practices” guidelines to their acquirers and direct response marketers to further enforce compliance.  The guidelines focus on terms disclosure,  trial offers, marketing, endorsements and testimonials, affiliate marketing (CPA) networks, billing timeframes, refund policies, back end offers (up-sells, cross-sells), descriptors, order fulfillment, and customer service.

Of course these changes are meant to protect the consumer.  However, any business affected by these changes should think positive.  Consumer complaints can turn into negative publicity (and subsequently, reduced revenue) for any company.  Let’s not forget increased chargeback ratios, which no merchant desires.

A Little History

The Federal Trade Commission (FTC) was created in 1914 to prohibit unfair competition and practices in commerce.  The agency enforces laws targeting specific marketing practices and product promotions, such as environmental claims, free products, mail and telephone orders, and negative option offers.  Section 5 of the FTC Act prohibits unfair and deceptive practices – more specifically, advertising and marketing, in any medium, to consumers.  Section 5 describes a product or service as deceptive if it misleads the consumer or affects consumer behavior.  Additionally, product claims (i.e. “xyz product” prevents illness) must be substantiated, especially if they concern health, safety or performance.  The key marketing principles listed in the Negative Option staff report are meant to guide the industry in compliance with Section 5 of the Act.

“The FTC Act prohibits unfair or deceptive advertising in any medium”

The FTC also implemented changes to its Guides Concerning the Use of Endorsements and Testimonials in Advertising in December, clarifying that “advertisers are subject to liability for false or unsubstantiated statements made through endorsements, and that endorsers also may be liable for statements made in the course of their endorsements.”

California Is Taking Action As Well

On a similar wavelength, a new bill, SB 340, regarding automatic renewal and continuous service offers was signed into law in October in California.  SB 340 came to light following a 2006 lawsuit against Time, Inc., for automatic renewal offers and solicitations.  Twenty three states received complaints from consumers, which resulted in an extensive investigation.  Time was billing or automatically charging consumers’ credit cards for magazine subscriptions without consent.  The company had changed their renewal policy and instead of subscribers actively renewing, they instead required subscribers to actively cancel their subscriptions.  Else, the renewal was automatic. The renewal policy always appeared in fine print and was not clearly stated.

SB 340 requires businesses to state “clearly and conspicuously” the renewal terms and obtain the subscriber’s approval at the time of purchase.  Clear and conspicuous is defined as “in larger type than the surrounding text or in contrasting type, font or color.”  In the case of telephone marketers, the audio disclosure must be “audible and understandable.”  It also requires the inclusion of a cancellation policy with the renewal offer and an easy way for the subscriber to cancel.  The bill goes into effect on December 1, 2010.

Per the FTC Act, sellers are responsible for product and service claims.  Third parties, such as advertising agencies, web site designers and catalog marketers, can also be found liable for product deceptions and unfair competition practices.  Those found to be non-compliant could face enforcement by the FTC as well as civil lawsuits.  Punishment includes cease and desist orders, fines up to $16,000 (per violation), federal injunctions, and consumer refunds.

Additional Resources:

• Direct Marketing Best Practices
• FTC Negative Option staff report
• FTC staff paper, Dot Com Disclosures, about online advertising
• FTC Guides Concerning the Use of Endorsements and Testimonials

Recent reports about the security of mobile phone payments has raised red flags on the next hot payment channel.  Encryption on GSM calls has already been hacked and various researchers have released findings and tools that might encourage cyber crime.  Well, maybe not exactly the motive, but a GSM encryption codebook – a “how-to” guide to break GSM encryption – has been released by a team of German researchers.  Their goal was not to assist cyber criminals, but to encourage stronger security protocols for mobile technology.  A Dutch security firm, XS4AII, discovered a worm that infects iPhone users who conducted banking with ING Group.  Recent news also reported that three researchers from Israel broke an encryption algorithm used to encrypt communications on the (fairly new) 3G wireless networks.  It’s important to note that GSM is employed in over 80% of mobile phone technology and the algorithm used to encrypt GSM phones is over 20 years old. 

“….the algorithm used to encrypt GSM phones is over 20 years old.”

Mobile payments are a hot topic, particularly for companies and merchants targeting the unbanked – or underbanked – segment.  Research by Mercator Advisory Group shows that 68% of consumer payments (by dollar volume) will be electronic-based in 2012.  The group estimates that volume to be 75% by 2017.  Electronic payments offer huge cost savings for merchants, as well as financial institutions.  Consumers are demanding more ways to operate remotely as well as easy ways to make payments.  It’s a win-win for both sides.  However, the fraud issue cannot be ignored.  Since smartphone technology is fairly new, few anti-fraud tools have been developed and even fewer have been deployed.

As smartphones provide access to more sensitive data each year, the need for security is of monumental importance.  There is some protection available for mobile phones, such as McAfee’s VirusScan Mobile (for Windows Mobile phones) and the VeriSign(R) Identity Protection Access for Mobile.  While these programs protect the phone against viruses, worms, spyware and malware, they do not encrypt data being sent or received.  However, VeriSign’s application does use a two-factor authentication tool and iPhones are equipped with Remote Wipe, which can erase the phone’s data remotely, should the phone be lost or stolen.

There are varying levels of security issues, depending on the type of mobile payment (mobile web site, contactless, SMS, etc).  Vulnerabilities of standards, infrastructures, platforms, and technologies (i.e. GSM, NFC, SMS, Bluetooth, RFID, mobile applications, etc.) pose a complicated issue for researchers to develop protections against secure data loss.  Mobile malware and spyware, Trojans, phishing attacks and third party applications add even more threats.

The future of mobile payments, tagged sometimes as ‘m-payments’, would have credit card data embedded on the SIM card or on a chip in the phone.  (Fingerprint scanning is envisioned further into the future.)  Remote access to the phone and its payment applications would be necessary should the phone be lost or stolen.  This would require agreements between carriers, equipment manufacturers and financial institutions.  Additionally, organizations that deal with sensitive data (i.e. financial, medical, personal identification) would still have to comply with various regulatory requirements (such as HIPAA and SEC) for protecting data.

A new industry consortium, the Financial Services Technology Consortium (FSTC), formed in 2009, is tasked with developing standards for secure mobile payment transactions, regardless of the device or carrier.  Jim Pitts, managing executive of the FSTC’s Payments Standing Committee (Payments SCOM), stated that the standards may also recommend that individuals be authenticated before making a purchase.  Standards will likely include the use of a SIM card or data chip to authenticate the device and authorize the payment.  Due to various technologies and products in use today, the costs required by all parties will likely cause delays in the standards being accepted as well as compliant products and services being deployed.