TRMG

Download Report

Transcript TRMG 

T
R
M
G
St. Louis
To Get PAID?
October 9-11, 2011
Trends in Payments
St. Louis
October 9-11, 2011
Most Common EFT Payment Types
EDI (Electronic Data Interchange)
- usually used by large companies for large payments
WIRE Transfers
- usually used for same day payment
- international payment
- final payment
ACH (Automated Clearing House)
- universal usage
Credit Card
- primarily used for smaller payments
- customer convenience
- ‘perks’
St. Louis
October 9-11, 2011
Obstacles To Change
 One size DOES NOT fit all
 Difficult Integration with Operating Systems
ERP/Accounting/Payment Process/Technology
 Customer Willingness/Ability to Adopt
 Pareto’s Principle ??
St. Louis
October 9-11, 2011
Part of the Problem
Pareto's Principle
aka
Vilfredo Pareto-Italian Economist
the “vital few and trivial many”
…Dr Joseph Juran, PHD .1906
aka
“The 80-20 Rule”
St. Louis
October 9-11, 2011
PULLED ACH
Single Payment Entry
16354
084000084
156564163
(OPTIONAL)
$5525.50
ABC Plumbing
Apply transaction to invoice # 1165339
[email protected]
St. Louis
October 9-11, 2011
Remittance Upload
Eliminate the labor intensive process of entering your remittance
information. Now you can simply attach a file containing this critical
information along with your payment!
Transaction # 646053
St. Louis
October 9-11, 2011
PULLED ACH
Multiple Invoice Entry
Transaction # 646054
16354
084000084
156564163
(OPTIONAL)
995
$1001.50
997
$100.00
999
$500.50
ABC Plumbing
Apply transaction to invoice # 1165339
No. of Invoices: 3
Amount: $1602.00
Deduct late fees on all invoices
St. Louis
October 9-11, 2011
PULLED ACH
Scheduled Payment Entry
Transaction # 646055
16354
084000084
156564163
(OPTIONAL)
ABC Plumbing
$5525.50
Apply transaction to invoice # 1165339
St. Louis
October 9-11, 2011
Transaction Report
Lonardo Food Services
Goodstein’s Crown Molding Inc.
94156
Halpern Industries
Fountain’s Fence, LLC
123450000
St. Louis
October 9-11, 2011
PULLED ACH
CTX Formatting
Transaction # 646054
16354
084000084
156564163
(OPTIONAL)
995
$1001.50
997
$100.00
999
$500.50
ABC Plumbing
Apply transaction to invoice # 1165339
No. of Invoices: 3
Amount: $1602.00
Deduct late fees on all invoices
St. Louis
October 9-11, 2011
CTX Reporting (EDI-820)
Paper is no longer
needed to store or
transfer data.
Computers may now
retrieve and exchange
payment remittance
advices.
 Significantly reduce lockbox fees
 Automated cash applications
 Automated posting
 Eliminate admin tasks such as data entry
 Improve efficiency of A/R operations
St. Louis
October 9-11, 2011
PUSHED ACH
Via YOUR COMPANY WEBSITE
St. Louis
October 9-11, 2011
PUSHED ACH
Sample Registration
User
********
********
Online Bill Pay Customer
[email protected]
St. Louis
October 9-11, 2011
PUSHED ACH
Payment Entry
Transaction # 646053
16
084000084
156564163
(OPTIONAL)
995
$1001.50
997
$100.00
999
$500.50
No. of Invoices: 3
Amount: $1602.00
ABC Plumbing
Apply transaction to invoice # 1165339
Deduct late fees on all invoices
St. Louis
October 9-11, 2011
PUSHED
Credit Card Entry - Option
Transaction # 646053
16
1525 SW
33193
Miami
ABC Plumbing
41111111111111
4141
995
$1001.50
997
$100.00
999
$500.50
No. of Invoices: 3
Amount: $1602.00
Apply transaction to invoice # 1165339
St. Louis
October 9-11, 2011
Credit Card Merchant Services
Reduce your processing fees and the cost
of accepting payments by credit card.
St. Louis
October 9-11, 2011
Ecosystem of a credit card transaction
Three key entities manage the payment
system.
Issuers <Others>
 Issue cards
 Assume buyer’s
credit risk
 Generate reports
 Provide customer
service
St. Louis
Networks <Others>
 Provides
systems/operations
 Develops products
 Provides risk
management
 Provides advertising
and promotions
 Sets standards and rules
Acquirers
 Sign up merchants
 Underwrite merchant
risk
 Provide processing
– Authorization
– Capture/Settlement
 Generate reports
 Provider customer
service
O
T
H
E
R
S
October 9-11, 2011
St. Louis
•MCC
•Business Type
Bank Fees
•Level I
•Level II
•Level III
Interchange Rates
•Personal
•Business
•Corporate
•Debit
Data
• Card
Present
• Card NotPresent
Card Type
Presentment
Ecosystem of a credit card transaction
•Negotiated
•No Padding
•Unbundled
•Net Billing
•No +++ Fees
•Tools
•Funds
Available
October 9-11, 2011
If a customer is going to pay by credit card, can I
force them to make the payment right away
without extending terms?
YES, the merchant is not required to offer
delayed payment via card. You may establish a
policy whereby cards are accepted only when
the customer is paying in full at the time of the
transaction. This policy must be applied to all
types of cards.
St. Louis
October 9-11, 2011
If a customer has been extended terms and then
wants to pay an invoice 30 to 60 days later, can I
refuse to accept their card and require that they
pay with another form of payment other than
credit card?
Yes, you may take cards just for payments in full
provided that it is clear to customer at the
outset (card acceptance terms must be clear)
St. Louis
October 9-11, 2011
Can terms for credit card paying customers be
different than those paying by check?
You must honor all valid cards without
discrimination when properly presented for
payment. A merchant must maintain a policy
that does not discriminate among customers
seeking to make purchases with a card.
Mastercard 5.8.1
St. Louis
October 9-11, 2011
If I accept cards for regular sized payments that
are usually $1,500, and then a new customer
wants to place an order that will cost $50,000
and wants to pay by credit card, can I refuse to
accept payment by credit card because it is a
sizable payment or can I renegotiate terms or
the price?
You must not require, or indicate that it
requires, a minimum or maximum transaction
amount to accept a valid and properly presented
card.
St. Louis
October 9-11, 2011
Can I pass the cost of the credit card processing
along to my customer in the form of a fee?
No, Visa and MasterCard regulations do not
allow you to charge a fee or pass back the
interchange to the cardholder for accepting
their card for payment.
St. Louis
October 9-11, 2011
Can I charge my customer a Convenience fee?
•
•
•
•
•
•
•
•
VISA
Charged for a bona fide convenience in the form of an alternative payment
channel outside the Merchant’s customary payment channels
Disclosed to the Cardholder as a charge for the alternative payment channel
convenience
Added only to a non face-to-face Transaction1
A flat or fixed amount, regardless of the value of the payment due
Applicable to all forms of payment accepted in the alternative payment channel
Disclosed prior to the completion of the Transaction with an option for the
cardholder to cancel the transaction
Included as a part of the total amount of the transaction (single transaction which
has Convenience Fee Amount and Principal Payment Amount combined in the
total amount field)
Not added to a recurring transaction.
St. Louis
October 9-11, 2011
Can I charge my customer a Convenience fee?
•
•
•
•
•
•
Mastercard
A merchant must not directly or indirectly require any MasterCard cardholder to
pay a surcharge or any part of any merchant discount or any contemporaneous
finance charge in connection with a MasterCard card transaction.
A merchant may provide a discount to its customers for cash payments.
A merchant is permitted to charge a fee (such as a bona fide commission, postage,
expedited service or Convenience Fees, and the like) if the fee is imposed on all
like transactions regardless of the form of payment used.
Common Convenience Fee practices associated with MasterCard include:
The Convenience Fee can vary based on the amount of the transaction
MasterCard believes the best practice is to utilize the two-transaction method
where there is a separate transaction for the Principal Payment Amount and a
separate transaction for the Convenience Fee. However, if the merchant is also
accepting Visa for a non-tax, a single transaction is required. To simplify processing
in this case, a single transaction method would be used for all card types.
St. Louis
October 9-11, 2011
If I can’t charge a fee to cover the credit card
processing fees, is there a way to reduce the
cost of processing fees?
• Process directly with the Processor not ISO’s
(which may include Banks)
• Consider including the cost of processing in
the cost of goods so that cash discounts may
be offered
• Review processing procedures and policies
regularly to assure best practices
St. Louis
October 9-11, 2011
• Negotiate for better rates with your processor
• Bundled vs. Unbundled pricing model
• Make sure you are set up with the correct
MCC code with your processor
• Make certain that your processor does not
practice ‘padding’ of the Interchange fees
• Make sure there are no hidden fees
• Make certain you are being billed on NET
processing.
St. Louis
October 9-11, 2011
• CNP transactions should most often include
the use of a PC for processing.
• Make certain that all necessary data is being
included with the transaction
• Use of Level III processing
• Use of Level III large ticket
St. Louis
October 9-11, 2011
Level I, II and III Data
Requirements
Data Type
Merchant Name
Transaction Amount (Total)
Date
Tax Amount
Customer Code (16 Char)
Merchant Postal Code
Tax Identification
Merchant Minority Code
Merchant State Code
Item Product Code
Item Description
Item Quantity
Item Unit of Measure
Item Extended Amount
Item Net / Gross Indicator
Item Tax Amount
Item Tax Rate
Item Tax Identifier
Item Discount Indicator
Ship from Postal Code
Freight Amount
Duty Amount
Destination Postal Code
Destination Country Code
Alternate Tax Amount
St. Louis
Level 1
x
x
x
Level 2
x
x
x
x
x
x
x
x
x
Level 3
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
x
Level-I and Level-II data
elements can be
transmitted via a standard
credit card point of sale
terminal.
Level-III line item detail
requires greater system
capability, which is
provided via Fifth Thirdpartnered payment
processing applications.
October 9-11, 2011
Sample Transaction Costs:
Interchange Expense
Visa Purchasing Card: $500 transaction
Purchasing B2B Rate (Level I): 2.10 + .10
Purchasing Level II Rate: 2.05 + .10
Purchasing Level III Rate: 1.80 + .10
$10.60
$10.35
$ 9.10
14% reduction in cost by processing Level III versus Level I data
MasterCard Purchasing Card: $500 transaction
Purchasing Data Rate I (Level I): 2.65 + .10
$13.35
Purchasing Data Rate II (Level II): 2.40 + .10
$12.10
Purchasing Data Rate III (Level III):1.80 + .10 $ 9.10
32% reduction in cost by processing Level III versus Level I data
Interchange only -- Not showing all interchange categories
St. Louis
October 9-11, 2011
Breakdown of Cost
Total Cost = $12.46
Interchange represents 85% of the cost of this transaction.
*Based on Average Ticket currently qualifying for the Visa Commercial B2B (Purchasing, Business, Corp) rate
St. Louis
October 9-11, 2011
Sample Transaction Costs:
Interchange Large Ticket Expense
Visa Purchasing Card: $7500 transaction
•
•
•
•
•
•
Standard Rate 2.95 + .10
Business Electronic 2.40 + .10
Business Card Not Present 2.25 + .10
Purchasing Level II Rate: 2.05 + .10
Purchasing Level III Rate: 1.80 + .10
Large Ticket .95 + 35.00
Effective Rate
$221.35
$180.10
$168.85
$153.85
$135.10
$106.25
most commom
1.41%
48% reduction in cost by processing Level III versus Level I data
Interchange only -- Not showing all interchange categories
St. Louis
October 9-11, 2011
Sample Transaction Costs:
Interchange Large Ticket Expense
Visa Purchasing Card: $25,000 transaction
•
•
•
•
•
•
Standard Rate 2.95 + .10
Business Electronic 2.40 + .10
Business Card Not Present 2.25 + .10
Purchasing Level II Rate: 2.05 + .10
Purchasing Level III Rate: 1.80 + .10
Large Ticket .95 + 35.00
$737.60
$600.10
$562.60
$512.60
$450.10
$272.50
most common
Effective Rate 1.09%
60% reduction in cost by processing Level III versus Level I data
Interchange only -- Not showing all interchange categories
St. Louis
October 9-11, 2011
Can I pass the cost of the credit card processing
along to my customer in the form of a fee?
No, Visa and MasterCard regulations do not
allow you to charge a fee or pass back the
interchange to the cardholder for accepting
their card for payment.
St. Louis
October 9-11, 2011
Why can some companies/industries pass along the fees to their
customers and we cannot?
Convenience Fee Compliance Summary
Industry/Card Network
Utilities (MCC 4900)
Visa 1
Fixed Fee
Yes
Variable
Fee
No
Face-ToFace
No
Registration
Required
No
Single Transaction Support
Yes
2
Yes
Two
Transaction
Support
Recurring
Transaction
Third Party
Processor
Support
No
No
No
3
MasterCard
Yes
Yes
Yes
Yes
Yes
No
Yes
Discover
Yes
Yes 6
Yes
No
Yes 4
Yes
No
Yes
Amex
Yes
Yes
Yes
No
No
Yes
No
Yes
Visa
Yes
Yes/No7
Yes
Yes
No
Yes
Yes
Yes
MasterCard
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Discover
Yes
Yes 6
Yes
No
Yes
Yes
No
Yes
Amex
Yes
Yes
Yes
No
No
Yes
No
Yes
Visa
Yes
No
No
No
Yes
Yes
No
Yes5
MasterCard
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Yes
Discover
Yes
Yes 6
Yes
No
Yes 4
Yes
No
Yes
Amex
Yes
Yes
Yes
No
No
Yes
No
Yes
Visa
Yes
No
No
No
Yes
No
No
No
MasterCard
Yes
Yes
Yes
No
Yes
Yes
No
TBD
Discover
Yes
Yes 6
Yes
No
Yes
Yes
No
Yes
Amex
No
No
No
No
No
No
No
No
Government Tax (MCC 9311)
Education & Government
Non-Tax
Other Industries
St. Louis
4
October 9-11, 2011
How are the rules enforced and what are the
consequences of non-compliance?
Generally enforced ‘reactively’ instead of
‘proactively’ but fines may be levied. Severe
cases can cause your company to be blacklisted.
St. Louis
October 9-11, 2011
What card data can be stored?
Customer Name
Credit Card Number
Expiration Date
(security code should NEVER be stored)
St. Louis
October 9-11, 2011
Is it true that the credit card processing activity
will be reported to the IRS beginning 2011?
Yes, income through credit and debit card
transactions will be reported to the IRS starting
in 2011. No real reporting mechanism is known
at this time.
St. Louis
October 9-11, 2011
The Reality of Card Data
Compromise
Card Data Compromise Statistics
1%
Card Present
24%
In contrast to common belief, Card
Present merchants are twice as likely
to be compromised than Card Not
Present merchants.
73%
75%
As a consumer, you
are more likely to
have your card stolen
making a face-to-face
transaction, than
when shopping
online.
Source: Trustwave (based upon total number of breach events)
St. Louis
October 9-11, 2011
The Reality of Card Data Compromise
Card Data Compromise Statistics
Food Service Industry represents the majority
of the compromises (56%).
≤2
%
Retail Industry is the next largest industry
seeing compromises (22%).
4%
4%
4%
56%
22%
St.Source:
LouisTrustwave (based upon total number of breach events)
The challenge for large
retailers to meet their
customers needs at the
speed with which
customers demand,
creates tremendous
security issues.
October 9-11, 2011
Current State of
the Industry
Challenges by the Numbers…
Credit card data
remains an extremely
valuable commodity.
Payment data breaches
represented 98% of all
data breaches in 2009.1
The average cost of a data
breach is $202 per record
and rising, with the average
cost of a large scale breach
reaching $6.6 million
dollars.3
1 Trustwave Global Security Report 2010
2 Verizon 2009 Data Breach Investigations Report
3 Ponemon Institute, 2008 Annual Study: Cost of a Data Breach
St. Louis
More than 280 million
payment card records were
breached in 2008 alone.2
A significant data
breach at one PCI Level
1 retailer has cost over
$250 million dollars so
far…..
October 9-11, 2011
PCI DSS Compliance Merchant Levels
• Any merchant, Level 1 merchants have rigorous compliance requirements.
regardless of
acceptance
• Any merchant,
regardless of
channel,
• Any merchant
acceptance
processing 6
processing
channel,
• All other
million Visa® or
20,000 to 1
processing 1
merchants
MasterCard®
million emillion to 6 million
regardless of
transactions per
®
®
commerce
Visa
Visa or
acceptance
year, or any
®
®
or
MasterCard
MasterCard
channel
merchant that the
transactions per
transactions per
card brands
year
year
Merchant
determine should
Level 4
Merchant
be considered a
Level 3
Level 1 merchant
Merchant
Level 2
Merchant
Level 1
St. Louis
Level 4 merchants are
impacted, as well!
October 9-11, 2011
PCI DSS Compliance Merchant Validation
Merchant
Levels
On Site
Assessment
Self –
Assessment
Questionnaire
Network
Vulnerability
Scans
Level 1*
Report on
Compliance (ROC)*
Not Applicable
Required Quarterly
Submitted to Acquirer Annually
Level 2*
Not Applicable
Submitted to
Acquirer Annually*
Required Quarterly
Level 3
Not Applicable
Submitted to
Acquirer Annually
Required Quarterly
Level 4
Not Applicable
Best Practice
Annually
Required Quarterly
Submitted at Acquirer’s discretion
Submitted at Acquirer’s discretion
*Note: Due to MasterCard® Site Data Protection (SDP) program rules, all level 1 and 2 merchants that elect to perform their own validation
assessments must ensure that the primary internal auditor staff engaged in validating PCI DSS compliance attend merchant training
programs offered by the PCI Security Standards Council (PCI SSC) and pass any PCI SSC associated accreditation program annually in order
to continue validation in this manner. The training deadline is June 30, 2011.
St. Louis
October 9-11, 2011
End to End Encryption and
Tokenization
How It Works…
Sensitive card data is
encrypted at the point
of capture using format
preserving encryption
Merchant completes
post-authorization and
back office activities with
tokenized card value
PAN/Track
Data/Expiration Data
are encrypted in the
device using a Private
Key
Auth approval is
received from network,
card token is generated
and submitted back to
merchant
Auth Request moves
through merchant’s
POS/Host/Network
completely encrypted to
Fifth Third data center
Fifth Third decrypts the
data and transmits to
the card networks
St. Louis
October 9-11, 2011
End to End Encryption and
Tokenization
Key Solution Capabilities
• Enable encryption at the point of
sale without the need of complex
key injection
• Provide true end to end encryption
from entry devices all the way to
brand handoff
• Allows for robust host side
capabilities maximizing reliability
and meeting high volume
requirements
• Allows for encryption in multiple
environments:
– Swipe
– Key entered
– E-commerce
St. Louis
Key Customer Benefits

Risk Mitigation

Potential PCI scope reduction:
The potential ability to take
components out of scope

Protection of Brand Reputation

Implement security solution that will
be sustainable and flexible as
association and governing bodies’
rules develop and change
October 9-11, 2011
PCI Compliance—
Types of Risk
•
Systemic Risk
– Primarily Risk associated with large scale data breaches
– Increasingly sensitive due to PR impact and potential for
civil litigation
– Often associated with organized crime and sophisticated IT
“break ins”
– PCI ( Payment Card Industry Data Security Standards) meant
to address major challenges
•
Operational Risk
– Normal fraud risk associated with individual transactions
– Can often be prevented by operational best practices
St. Louis
October 9-11, 2011
12 Potential Signs of CNP Fraud
Keep your eyes open for the following indicators. When more than one is
true during a card-not-present transaction, fraud might be involved. Follow
up, just in case.
1. First-time shopper: Criminals are always looking for new victims.
2. Larger-than-normal orders: Because stolen cards or account
numbers have a limited life span, crooks need to maximize the size
of their purchase.
3. Orders that include several of the same item: Having multiples of
the same item increases a criminal’s profit
4. Orders made up a “big-ticket” items: These items have maximum
resale value and therefore maximum profit potential.
5. “Rush” or “overnight” shipping: Crooks want these fraudulently
obtained items as soon as possible for the quickest possible resale,
and aren’t concerned about extra delivery charges.
6. Shipping to an international address: A significant number of
fraudulent transactions are shipped to fraudulent cardholders
outside of the U.S. Visa AVS can’t validate non-U.S., except in
Canada and the United Kingdom.
St. Louis
October 9-11, 2011
12 Potential Signs of CNP Fraud (cont’d)
7. Shipping to a single address, but transactions placed on multiple
cards: Could involve an account number generated using special
software, or even a batch of stolen cards.
8. Multiple transactions on one card over a very short period of time:
Could be an attempt to “run a card” until the account is closed.
9. Multiple transactions on one card or a similar card with a single
billing address, but multiple shipping addresses: Could represent
organized activity, rather than one individual at work.
10. In online transactions, multiple cards used from a single IP (Internet
Protocol) address: More than one or two cards could definitely
indicate a fraud scheme.
11. Transactions with similar account numbers: Particularly useful in
the account numbers used have been generated using software
available on the internet (e.g., CreditMaster)
12. Orders from Internet addresses that make use of free e-mail
services: These e-mail services involve no billing relationships, and
often neither an audit trail nor verification that a legitimate
cardholder has opened the account.
St. Louis
October 9-11, 2011