GAM Payments Blog

How will EMV technology impact my business?

EMV chip-based credit cards are taking the payments world by storm. It’s clear now that the further spread of EMV is inevitable, so merchants are left wondering how it will end up affecting their business in the long run. This article will give you a full rundown on what EMV is. From there, we’ll tell you what you need to know about how it will impact your business on a day to day basis.

What is EMV?

EMV stands for the credit card companies Eurocard, Mastercard, and Visa, and it represents the three major credit card carriers that now use microchip technology instead of magnetic strips. This technology is now known as an “EMV chip.” Because the microchips offer better security than magnetic strips, other carriers like American Express and Discover are using EMV credit cards as well.

For EMV, the card is inserted into a contactless system rather than swiped. This is important—because the chip never has to make actual contact with anything, cards don’t wear out as fast. For further card authentication providing an added layer of security, the customer can then be prompted to enter their pin.

Contactless EMV microchips have become the global standard for credit card security. This is an improvement from the less secure magnetic strip, which has appeared on debit cards and credit cards since they were invented. The magnetic strip contains card payment data and while EMV cards still have the strip, sensitive cardholder data is now protected in the microchip instead of the much more vulnerable magnetic strip system.

The reason cards still contain the magnetic strips is so that merchants who can’t afford to upgrade to EMV card readers yet will have time to catch up. Eventually, magnetic strips will most likely be phased out completely in favor of EMV readers and verification methods.

Why is EMV the New Standard for Credit Cards?

EMV cards are an enormous step forward in terms of verification and fraud reduction. First off, the old magnetic strips are easy to replicate if a credit card is stolen. Microchips, on the other hand, are extremely expensive and time-consuming to replicate. For a lost or stolen card’s EMV microchip to be duplicated, it would take tremendous technical skill and special equipment.

In addition, EMV cards can’t be hacked using card-skimming machines. ATM skimmers are essentially fake ATM card swipe readers that can be installed over an ATM machine by a thief. Since they seamlessly integrate with ATM machines, skimmers look and feel just like real ATMs. But when you swipe your card, your personal data is stolen and stored in the skimmer. Later, when the fraudster retrieves the skimmer, they have the debit and credit card info of everyone who used it.

With EMV cards rendering skimming attempts useless, the credit card industry has defeated one of the most powerful weapons used by credit card thieves. As a result data breaches will become less likely for the life of your business.

How Will It Impact You?

EMV magnetic chip cards primarily impact merchants taking payments in person, where a customer uses their physical credit or debit card. For service-based merchants, the impact will be minimal. There will also be very little impact for certain types of transactions. If your business operates primarily with one of the following forms of payment, EMV cards will have very little if any impact:

  • Mail or Telephone Orders: If your business primarily processes transactions through the mail or over the phone, the EMV system won’t matter much for you. While modern retailers are doing fewer and fewer of their transactions this way, it is sometimes necessary to use a mail or telephone ordering system. Since these systems collect credit card data by hand, the existence of a microchip makes no difference.
  • Orders Where Payment Info is Entered Manually: For Ecommerce merchants who only collect orders via an online ordering system, either through a mobile application or a virtual terminal, EMV has no impact. For these card-not-present transactions, payment info is entered manually. Since the card is never physically swiped or inserted, the EMV chip is replaced by other security methods.

Technology Upgrades

For other merchants, however—those that process cards in person, using card readers—the EMV system requires that they upgrade their point of sale terminals. Merchants who only have a swipe reader capable of reading magnetic strips will have to buy a new card reader that allows cards to be inserted for the microchip to be read.

If you don’t upgrade your POS equipment, your business could be held liable in cases of credit card fraud. The reduction of fraud liability can make all the difference when just one data breach can bring on a lawsuit where plaintiffs are demanding tens of thousands of dollars. While some businesses might be hesitant to upgrade due to cost, EMV payment technology is becoming more and more affordable. You can also use it as an opportunity to modernize your front-end operations by accepting mobile payments through apps like Apple Pay.

For these apps to work, your registers and POS terminal needs to have NFC-compatible payment technology. This means “near-field communication,” and it essentially allows a machine to register data from a card even though no physical contact is made between the card and the machine. Since EMV and NFC are companion technologies, investing in smart EMV readers that can read both microchip credit cards and mobile devices alike.

Lastly, if you have even one instance of fraudulent activity due to not having EMV-compatible equipment, the cost of the upgrade could end up paying for itself.

More Benefits to EMV

The benefits to EMV don’t stop at security. EMV also allows transactions to happen faster, meaning reduced wait time and shorter lines. That means happier customers.

As an added bonus, this also means that EMV allows you to process more transactions in a day. That means more sales revenue, but it could also snag you lower credit and debit card processing fees and a better interchange rate from payment processors. Added cardholder security can improve your negotiating power for a lower interchange rate as well.

Final Thoughts

There is no escaping the rise of EMV technology for credit cards. But don’t fret! Consider it an opportunity to reach more customers, reduce liability and instances of fraud at your store, and process more transactions than ever. Change can be scary, but if you play your cards right, it can also come with enormous opportunities along the way!

Airline Miles: How we got here and why merchants bear the cost

Airline mile points on credit cards are a great way to increase customer engagement, because they’re a dream come true for travelers. After building up enough points on a credit card linked to an airline brand, frequent flyers accumulate “frequent flyer miles” that they can cash in for flights anywhere in the world. As a result, customer loyalty is rewarded, which in turn keeps those customers coming back to the same airline. In short, it creates loyal customers for life.

Who Pays for Frequent Flyer Loyalty Programs?

When you rack up enough loyalty points for a flight, it feels like a free trip! But is anything truly ever “free?” As our investigation discovered, it’s actually merchants who are bearing the cost of these accrued airline miles, through the processing fees charged by credit card companies.

When a customer earns miles as part of a flyer program, there is a cost associated with that. And someone, somewhere, has to pay it. That’s where fees like interchange fees and foreign transaction fees come in. When legislation like Dodd-Frank cut the maximum fees that credit card companies could charge, loyalty programs took hold.

Card companies shifted to interchange fees for more profit, and those fees are passed onto merchants. Merchants have had to charge more, but customers paying with rewards cards will earn reward points that are funded by these same fees.

The end result is this: Customers earn bonus miles through their card’s rewards program, while merchants pay higher interchange fees.

Loyalty Program Costs

In Europe, interchange fees are capped at a very low amount. This is great for merchants, but has resulted in credit card companies getting rid of their travel rewards cards, and reducing other types of loyalty rewards and benefits for cardholders.

The effect is the same for loyalty programs that get you elite status, early boarding, and other perks. Each of these perks comes with a cost, and the cost is usually borne by merchants in the form of interchange fees from credit card issuers.

Customer Loyalty & Your Interchange Rate

This creates a secondary form of customer loyalty: loyalty to the credit card brand. With the partnership between airlines and credit card brands, loyalty to both is rewarded, while merchants bear the cost.

As time goes on, more and more customer loyalty programs will begin issuing rewards based on money spent rather than simply on mileage. This means that first class flyers will be rewarded more than those who book economy class flights, racking up better rewards for their hard-earned dollar. By doing it this way, more of the cost can be reliably offset with higher interchange fees on the credit cards.

How to Offset High Interchange Rates

Since loyalty programs require credit card issuers to charge merchants higher interchange rates, many merchants respond by raising costs on their customers. Unfortunately, this is the easiest and most direct way to offset the extra cost. The good news for customers is that spending more money at your store can sometimes net them even more points.

You can also find ways to encourage customers to pay in cash, reducing the number of credit card transactions you process. The downside to this strategy? Lower transaction volume means higher overall interchange rates, so you might end up cancelling out part of or all of the benefit you get from cash customers.

Another potential way to offset the costs is to make your company more financially efficient. By lowering your bills and finding better ways to budget, you can make your business lean, saving precious pennies on things like payroll, inventory, even electricity. This frees up money for paying the hidden costs of loyalty programs, but will also make your business work better in the long run.

Final Thoughts

It’s an unfortunately reality of airline miles and other loyalty programs that merchants are the ones who shoulder the financial burden. How this might change in the future is anyone’s guess, but in the meantime, do what you can to offset the costs of these programs by becoming a more efficient business and negotiating the lowest possible interchange rate from your credit card processor.

 

Data Levels

What are data levels?

Credit card processing is involved in every digital transaction using a credit card or debit card. This process transfers credit card information to and from the issuing and acquiring banks involved in the purchase. These transactions must be secure and PCI compliant to prevent data breach and confidential information from being stolen. For security and PCI compliance purposes, different data levels are involved in various credit card transactions. Digital transactions that require secure data transfer may occur within the following parties: business and consumer, business and business, or government corporations. As the data level increases, the requirements for verification and authorization are heightened to ensure the security of processing. Level 1 data processing is used in business-to-consumer transactions, regardless of the size of purchase.  Level 2 data processing is required for business-to-business transactions. Level 3 data processing requires the highest amount of security for government or corporation transactions.

Level 1 Data

Level 1 data involves transactions between businesses and consumers. As the first data level, it requires minimal details for verification. This transaction is initiated by the consumer’s personal credit card. The only data required for this purchase is the credit card number, expiration date, and amount of the transaction.

Level 2 Data

For business to business transactions, level 2 data requirements must be met. These transactions require level 1 details, in addition to the tax amount, PO number, and zip code of purchase. As the requirements for level 2 processing increases, the consumer is better identified, and as a result, there is greater guarantee of secure transmission. The higher the data level, the lower the transaction cost. Considering, the increased verification of level 2 data, the transaction cost of credit card processing is reduced.

Level 3 Data

Level 3 data occurs between government agencies or corporations. Due to the highly classified nature of government transactions, this data must be verified by gathering detailed information regarding the parties involved. Although it may go without saying, level 3 data is the most secure. Each level 3 transaction must include the previous details from levels 1 and 2. In addition, the following information must be provided: line items and categories of shipment, destination of shipment, invoice number, freight amount, and duty amount. These transactions are only performed via eCommerce and primarily for government agencies. However, business-to-business transactions may occur at level 3 as well. Based on the severity of clearance required for level 3 processing, these transactions often cost the least of the three levels. As previously stated, an increase in information verified, lower the transaction risk, and therefore, reduces the transaction cost.

Acquiring Level 3

Due to the level of detailed verification and authorization required, not every transaction can be processed at a level 3 data clearance. Notably, not all credit card processors can accept transactions at the 3rd level, as a specific gateway and deeper integration is needed for these secure transactions. A variety of software companies, such as BluePay, Tidal Commerce, and Dharma Merchant Services, can provide the necessary gateway for processing. Additionally, comprehensiveinformation must be provided for Level 3 transactions.

Benefits

There are many benefits to level 3 data processing. At the highest security clearance, businesses and corporations can save an average of 1% on interchange rates and processing fees. This can add up to a hefty savings for any business. When processing transactions at a Level 3 clearance, an itemized invoice is provided, allowing for simplified billing and accounting. Additionally, businesses and government entities can place restrictions on when or how the credit card is being used. Monthly upper limits for transactions can also be established.

While pursuing Level 3 data processing might sound ambitious, it can certainly be advantageous for many businesses. Due to significant financial savings and low-risk transactions, it is often wise for large businesses, corporations, and government entities to pursue Level 3 data processing.

PCI Self-Assessment Questionnaire – how to pass it and how to stay complaint

If you’re an ecommerce merchant processing card-not-present transactions, you need to be PCI compliant. PCI stands for “Payment Card Industry,” and being compliant means staying up to date on all the necessary data security practices.

Since hacks of customer credit card data could sink your business, a trade organization called the PCI Security Standards Council creates, updates, and enforces what are known as the PCI standards. These are protocols that are meant to protect merchants and customers from fraud. Collectively, these standards are called the PCI-DSS, or “PCI Data Security Standard.”

To enforce the PCI DSS, merchants fill out something called a PCI SAQ, or “Self-Assessment Questionnaire.” The PCI DSS Self-Assessment Questionnaire lays out step-by-step questions to make it easier to comply with PCI-DSS. In this post, you’ll learn more about the standard and the questionnaire.

By being ready for the PCI security questionnaire, you’ll be in the best possible position to stay compliant. That means avoiding costly penalties for non-compliance, staying one step ahead of hackers, and protecting your company from customer lawsuits resulting from credit card fraud.

After all, nothing damages customer trust like a breach of cardholder data.

How Do I Get PCI-DSS Compliant?

Different merchants have different compliance requirements depending on their category. These categories are meant to give different types of merchants a way to report on compliance to stay in good standing with the PCI.

The first step to PCI-DSS compliance is figuring out where your business stands. There are different “levels” with various criteria from each of the major credit card companies. These levels determine your individual reporting requirements.

Different credit card brands have different criteria for each level. That’s why you have to check with each credit card brand—one company will have different criteria for meeting each level than another.

What Are the Levels of PCI Compliance?

As previously mentioned, the exact criteria for each level of PCI compliance is different for each credit card brand. For example, Visa e-commerce uses slightly different requirements than merchants processing Mastercards.

For all of the different brands, levels are based on your overall risk profile as a business. The information below gives you a good idea of what to generally expect based the total credit card payments your company processes yearly. The PCI Self Assessment Questionnaire helps you determine which level you fall into.

Level 1

Level 1 requirements come into play for merchants that process six million or more transactions per year.

Level 2

Level 2 merchants are those processing fewer transactions than those in the Level 1 category. To be a level 2 merchant, you have to process at least one million transactions per year. But process more than six million per year, and you’ll be bumped to level 2.

Level 3

Level 3 is applicable for merchants processing between 20,000 and one million transactions per year.

Level 4

Level 4 requirements are commonly for small companies. However, a company that processes very few transactions can still be taking in high amounts of revenue, it just means that each client comes with more revenue opportunity. Either way, level 4 merchants are those that process fewer transactions than any of the other levels: under 20,000 per year.

How Often is PCI-DSS Validation Required?

In order to be PCI-DSS compliant, there are validation processes that must take place. These involve self-assessment questionnaires and PCI representatives called Qualified Security Assessors, or QSAs. However, the details and frequency of validation varies according to which level your business qualifies for.

As outlined in the last section, your company’s level is based on the total number of annual transactions. But in addition to annual transactions, your level might be different depending on which card brand is assessing you. Consult each of them individually to determine your PCI DSS requirements for each.

Typically, merchants at levels 2, 3, and 4 are only required to complete a self-assessment questionnaire. Meanwhile, level 1 merchants are validated by a Qualified Security Assessor (QSA) from the credit card company.

What are the requirements to be in compliance with PCI Data Security Standards?

Security Management Procedures

If you’ve ever asked yourself, “How do I become PCI compliant,” the first step is in adopting the proper security management procedures. Proper security ensures that customer credit card information like account numbers and expiration dates are protected at every phase of checkout, both on your end and on the part of your acquiring bank.

Since ecommerce involves the transmission of information through various servers and networks, there are lots of opportunities for fraudsters to try to swoop in and hack the data. Protecting it requires security measures at every layer: the ecommerce store, the network architecture, and the actual payment processing software. We’ll discuss each of these in more detail.

Ecommerce Store

Your ecommerce store is where customers add items to their shopping cart and begin the checkout process. All ecommerce websites should be Hypertext Transfer Protocol Secure, and use https. HTTPS-active sites display “https://” at the beginning of a website address, before the “www.” On https sites, information moving across the servers is more secure than on non-http sites.

Your checkout system should also use SSL encryption. “SSL” stands for “Secure Sockets Layer,” and it refers to certain cryptographic protocols for securing digital information as it moves from place to place.

PCI-DSS Compliant Software

If you use checkout software from a third party, make sure they use SSL and any other necessary encryption methods. While you can usually expect SSL encryption to be a standard feature from any reputable credit card payment service provider, always double-check.

Without encryption, hackers could have free reign over your customer’s payment card information. Anti-virus software is only the beginning—you need to make sure your payment card payments processor and other vendors use the latest encryption technology. You also need to make sure that you have secure data storage and transmission throughout the entire process.

PCI-DSS Network Architecture

PCI compliance demands a strong network architecture…that means your networks need to take security seriously during the design phase, and that security not be phased in as an afterthought. Also, once a strong network is built, it needs to be maintained.

Maintaining a secure network requires ongoing checks and updates. You need to analyze your network systems for any vulnerability. You should also have a plan in place for dealing with them. Monitor your network for signs of intrusion or other issues, and perform security tests regularly so that you can catch weaknesses early, before a hacker has a chance to exploit them.

How Can I Stay Compliant?

To stay PCI DSS compliant, many merchants will have to get a quarterly self-assessment scan done by an approved vendor. The purpose of the scan is to find vulnerabilities in your credit and debit card payment systems.

These scans usually happen quarterly, but they are also necessary if there are any major changes to your network or system. For example, updating your computers or switching to a new provider would both be situations where you should be re-scanned to stay compliant.

For the scan to be effective, it has to cover all systems that communicate credit or debit card information. That includes the network itself but also your operating system, web-based application software, payment terminals, network, and any other software or hardware system that receives, transmits, or stores payment data. To keep up with proper PCI data security, get your systems scanned every 90 days.

Final Thoughts

The PCI DSS is there to protect you and your customers, and the PCI DSS SAQ makes the process quicker and easier, saving you time and money. But proper security controls shouldn’t be looked at as a nuisance. Rather, look at them as an investment.

By putting in the effort to become DCI compliant with the standard PCI protocols, you’re saving yourself the hassle of dealing with a data breach. These breaches can cause a loss of customer trust that can take years to earn back. The investment in avoiding serious data leaks with a regular PCI DSS assessment could be one that saves your business.

Merchant Accounts in Puerto Rico: Everything You Need to Know

The process of opening and on-boarding merchant accounts in Puerto Rico is quite different than in the US. From different providers and standards to tax considerations, there are lots of differences between the business environments of Puerto Rico and the mainland United States that affect the process.

For that reason, it can be challenging for newcomers to open or on-board a merchant account on the island. However, as we learned, it can be done! When a GAM client wanted to moved their operations to Puerto Rico, we learned a lot about navigating the process in a place where the rules and processes were different across the board.

Here, we’ll share everything that going through the process taught us.

Initial Challenges: Learning How Merchant Accounts Work in Puerto Rico

When we were first tasked with moving this client’s account to Puerto Rico, we knew we needed help. But we weren’t able to on-board the account through any of our usual channels, as they weren’t set up to handle it—that even includes resources in Europe and Latin America.

So we took the only route that we had left, and spent countless hours on the phone consulting with experts in the payment industry. These consultants have a combined industry experience totaling hundreds of years, and are the best and brightest in the business. Finally, after long conversations with some of the most knowledgeable and experienced people throughout the space, we were able to figure out how the Puerto Rican system works.

Only then could we engineer a solution for our client…and it turns out, it all started with Puerto Rico’s unique system for credit card processing.

The Unique Debit Network in Puerto Rico

Just about every payment terminal and merchant account in Puerto Rico has an account or pin number associated with it that starts with a zero. This is a function of how the main bank debit network in Puerto Rico was designed. In the US, accounts from brands like MasterCard, Discover, and American Express all have accounts that begin with other numbers.

As a result, payment terminals easily malfunction, because they are not designed to recognize an account number that starts with zero. This complicates business for payment processors. To make matters worse, changes in the tax system began to require daily reporting for taxes, making things even harder for payment processing businesses and merchant account companies.

As a result, most payment processing companies took their business off of the island. Only the biggest ones could manage to stay profitable in the new business environment, making the biggest payment processing companies even bigger and more powerful. With their own account number system unique to the island, now just two payment processing companies essentially control all of Puerto Rico’s payment processing business.

As a side effect, because merchants only have two choices, there is very little competition in Puerto Rico’s payment processing industry. So much control from so few companies results in higher rates for businesses in need of a merchant account, payment processing partner, or POS system.

In Puerto Rico, there are also different tax laws than in the United States. These play a critical role in the process of opening a merchant account there.

Taxes in Puerto Rico

Tax reporting in Puerto Rico works differently than on the mainland U.S. In Puerto Rico, laws require a complex and time-consuming daily reporting process. The island’s Treasury Department also retains a high level of control over smaller aspects of business, so to navigate that influence, we had to look at higher-risk banks to partner with. Even though the charge higher rates, they would be the most adept at wading through all of these factors: the debit network, the tax issues, and the influence of third parties.

We would be charged even more, because we were considered a non-standard, foreign account and there would be more work involved for the bank. But after extensive conversations with many banks and companies, we were finally able to secure a partner.

Final Thoughts

Thanks to this relationship, we are now able to offer our clients underwriting and merchant accounts in Puerto Rico, opening up whole new avenues for business owners looking to open up or move to the island. As a result of going through the process from beginning to end, GAM is also now one of the most knowledgeable firms when it comes to merchant accounts in Puerto Rico. That allows us to bring incredible value to a whole new group of clients.