transaction trends march 2011

TransacTiontrends

The Official Publication of the Electronic Transactions Association | March 2011

ALSO INSIDE:Tips for Fostering Level 4 Compliance

Adaptability Inspires ISO’s Progress

What Debit Interchange Regulation Means for You

Tech innovations, lower costs, and younger consumers push mobile payments to the forefront

Market

Driven2011 ETA Annual M

eeting & Expo Preview

HOLLYWOOD TM & Design © 2011 Hollywood Chamber of Commerce. All Rights Reserved.©2011 DFS Services LLC

Every day, more travelers to the U.S. are making their card purchases on the Discover® network. With more international acceptance partners than any other network, make Discover your way of generating more tourist revenue.

From California to China.

DiscoverNetwork.com

See you at 2011 ETA

Annual Meeting & Expo

San Diego, CA

May 10-12, 2011

Booth #608

TransacTion trends | March 2011 3

The Official Publication of the Electronic Transactions Association Vol. 16 | No. 3

TransacTion trends

cover story

8 Market DrivenBy Kim Fernandez You’ve heard it for a while now, but 2012 may be the year for mobile payments. Experts explain why it’s finally a reality, who the early adopters are, and what bumps in the road lie ahead.

17 sPecIAL serIes startup stories: First American Payment systems By Julie Ritzer RossAdaptability and a proprietary products and services helped grow First American Payment Systems’ portfolio to more than 100,000 merchants.

20 2011 etA Annual Meeting & expo Preview: Let’s Go to san Diego This year’s new location promises outstanding networking opportunities, access to top industry partners, and all the business-critical education you need for success.

23 Debit Interchange Proposed regulation Dissected By Holli Targan, Jill Miller, and Sarah Weston As the industry anxiously awaits the official regulations to be issued in April, three legal experts examine possible effects and what they mean for the industry.

FeAtUres

12

DePArtMents

5 President’s MessageInsights from ETA’s elected leader

6 Industry newsTrends, strategies, and news in the payments business

23 Ad Index

24 Industry InsiderIndividualized fraud management services propelled Verifi Inc.’s progress.

12 coaxing complianceBy Julie Ritzer Ross Just 11 percent of Level 4 merchants abide by PCI security standards, compelling ISOs to encourage compliance by debunking myths, properly educating merchants, and more.

206

Electronic Transactions Association1101 16th Street NW, Suite 402Washington, DC 20036202/828.2635www.electran.org

ETA Chief Executive Officer Carla Balakgie

ETA Director, Communications & PR Thomas Goldsmith

Transaction TrendsPublishing office: Stratton Publishing & Marketing Inc.5285 Shawnee Road, Suite 510Alexandria, VA 22312703/914.9200

PublisherDebra Stratton

EditorJosephine Rossi

Contributing EditorAngela Hickman Brady

Editorial/Production AssistantTeresa Tobat

Art DirectorJanelle Welch

Contributing WritersKim Fernandez, Jill Miller, Bryan Ochalla, Julie Ritzer Ross, Holli Targan, Sarah Weston

Advertising SalesSteve Schwanz or Fox Associates (800/440.0232; [email protected])

Fox Associates Offices Chicago 312/644.3888 New York 212/725.2106Atlanta 800/699.5475 Detroit 248/626.0511Los Angeles 213/228.1250 Phoenix 480/538.5021

Editorial Policy: The Electronic Transactions Association, founded in 1990, is a not-for-profit organization representing entities who provide transaction services between

merchants and settlement banks and others involved in the electronic transactions industry. Our purpose is to provide leadership in the industry through education, advocacy, and the exchange of information.

The magazine acts as a moderator without approving, disapproving, or guaranteeing the validity or accuracy of any data, claim, or opinion appearing under a byline or obtained or quoted from an acknowledged source. The opinions expressed do not necessarily reflect the official view of the Electronic Transactions Association. Also, appearance of advertisements and new product or service information does not constitute an endorsement of products or services featured by the Association. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided and disseminated with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice and other expert assistance are required, the services of a competent professional should be sought.

Transaction Trends (ISSN 1939-1595) is the official publication, published monthly, of the Electronic Transactions Association, 1101 16th St. N.W., Suite 402, Washington, DC 20036; 800/695-5509 or 202/828-2635; 202/828-2639 fax. Postage paid at New Richmond, Wisconsin and additional mailing offices. POSTMASTER: Send address changes to the address noted above.

Copyright © 2011 The Electronic Transactions Association. All Rights Reserved, including World Rights and Electronic Rights. No part of this publication may be reproduced without permission from the publisher, nor may any part of this publication be reproduced, stored in a retrieval system, or copied by mechanical photocopying, recording, or other means, now or hereafter invented, without permission of the publisher. Nonmembers, government agencies, $150 per year; single copy, $20. Subscriptions are available for 12-month periods only, at the quoted rates.

Credentialing Comes to Fruition

It’s official. Late last month the ETA formally announced that after two years in the development phase, the Certified Payments Professional™ (CPP) credentialing program will launch later this year.This is an extremely important milestone in the history of our industry. ETA

was created, in large part, to address the “checkered” reputation that plagued the merchant acquiring business. Our founders vowed to change things for the better and the CPP program is a giant step toward fulfilling that promise. It will raise the visibility of those in our business who are knowledgeable and capable–and to help make them more successful.

To qualify as a CPP, a payments professional will have to meet the program’s eligibility requirements, including a minimum amount professional experience,

and take an examination that will test the candidate’s breadth and depth of industry knowledge.

A huge amount of work has gone into the CPP pro-gram. And from the outset, ETA was determined to do it right. That meant gathering experts from across the industry to define what the examination would test, then subjecting that “body of knowledge” to review by more experts. Then yet another group began writing the actual questions for the CPP exam, a process that (including

multiple reviews) is still going on. All of this is being done under the watchful eye of an outside organization that specializes in developing professional certi-fication programs.

Why go through all this time and expense?We want those who become Certified Payment Professionals to be proud of

their achievement. And for the CPP to be a mark of distinction, something that makes them valuable to their current and future employers.

It’s also important for merchants to seek out CPPs, to make doing business with them a part of their decision-making process when setting up a merchant account.

And we want the ISOs, the processors, acquiring banks, and card compa-nies—everyone in the business—to recognize the value of employing and part-nering with CPPs, because they’ve made this significant commitment to their profession and their careers.

And we now can demonstrate to the regulators and legislators who are paying close attention to our business that we have established a standard of professionalism and ethical behavior for our industry.

Before 2011 is over, the exams will be finalized, the program rules and pro-cedures will be in place and the first applications will be in the door. You can follow our progress at www.electran.org/CPP.

Soon it will be up to you. Do you have what it takes to be a CPP?

Sincerely, Rick PylantRick Pylant is President of ETAand President & Chairman of COCARD Marketing Group, LLC

President’s Message

Saved At: 2-1-2011 10:53 AM By: EGarcia / EGarcia Printed at: None Print #: 1 Round #: 1

PID-79646_Transaction_Trnd.indd215 Park Av. South,

2nd Level NY, NY, 10003212.206.1005

Job Info

Client: FD

Product: First Data

Job #: PID-79649

Job Title: FDIS Chess

Specs

Bleed: 8.375” x 11”

Trim: 8.25” x 10.875”

Safety: 7.5” x 10.125”

Gutter: None

Fonts, Images & Inks

Inks: Cyan, Magenta, Yellow, Black

Fonts: Simple Sans (Regular, Medium, Black, Bold)

Images: GettyImages_97767453.re.tif (CMYK; 294 ppi;

102.01%), FD-Logo-Tagline-2c-re.eps

Publications: Transaction Trends

Approvals W/C OK

Creative Director:

Art Director:

Copywriter:

Account:

Studio:

Print Production:

At First Data, we consider your goals and supply you with the tools you need to fulfill them. So no matter where your career is today, we have a solution to help build your future.

We offer four versatile programs to fit your goals: Agent, ISO no-risk, ISO with risk and FSP. And as always, our financial stability and industry leading products and services support your success.

© 2011 First Data Corporation. All Rights Reserved.

Thinking about your end game is where we begin.

Achieve your goals with First Data. Call 1-800-298-3025 or visit www.firstdatapartners.com/partners

S:7.5”S:10.125”

T:8.25”T:10.875”

B:8.375”B:11”

6 March 2011 | TransacTion trends

By 2015, consumers’ use of cash will decline 17 percent, dropping to slightly more than $1 trillion. Source: Aite Group

Fast Fact

inDusTrYnews

info graph

ETA to Launch Certification ProgramETA will launch the payments industry’s first professional certification program before the end of 2011. The Certified Payments Professional™ (CPP) program will focus on the knowledge and skills re-quired for those involved in the sales and distribution of electronic payments-related products and services to merchants and businesses.

“The launch of the CPP program will be an important milestone for the payments industry and for ETA,” says Carla Balakgie, CEO. “We’ve invested significant time and effort to establish the highest level of pro-fessional standards through this endeavor. We tapped a wide range of industry ex-perts and certification program specialists to ensure that those who earn the CPP credential are truly qualified to receive the designation.”

Program objectives include:• establishing a uniform, defined standard

of practice and knowledge for ISOs, sales personnel, and others in the industry

• quantifying the expertise and potential performance of those who work in the payments industry

• encouraging ethical business practices• enhancing the productivity and reputa-

tion of payments companies and the credibility of the industry.In addition to meeting minimum eligi-

bility requirements, candidates also must pass a rigorous examination that assesses their industry knowledge. For more infor-mation, visit www.electran.org/CPP.

Post-Holiday Spending Holds Steady Jan. transaction cHAnGe Jan. Dollar volume cHAnGeGrowth Growth

Credit +5.9% Credit +7.2%

Signature Debit +10.0% Signature Debit +9.7%

PIN Debit +7.6% PIN Debit +5.4%

Check -13.7% Check -10.4%

Note: All transactions are same-store growth.

Source: First Data

Threat of Mobile Data Breaches GrowsAs the popularity of social media and mobile devices has risen, so too has the likelihood of an attack against those sites and endpoint devices, ac-cording to Trustwave’s 2011 Global Security Report released in January. The rate and sophistication of those attacks also have increased as the latest versions of malware are virtually undetectable by current antivirus scanning software.

Mobile devices give criminals easy access to au-thentication credentials and sensitive data. Now, criminals are using mobile phones to mine geolo-cation data to launch more targeted, sophisticated attacks against social networks.

Notable findings from the report include:n The food and beverage industry accounts for 57 percent of all investigations.n Insecure software code or lax security practices in the management of third-party technology were the cause of 88 percent of breaches. n Sixty-six percent of the investigations found theft of data in transit.n A single organized crime syndicate may be responsible for more than 30 percent of all 2010 data breaches.

Some things are just better together.

© 2011 Total System Services, Inc.® All rights reserved worldwide. TSYS® is a federally registered service mark of Total System Services, Inc.

On the heels of a thriving joint venture, TSYS and First National Merchant Solutions (FNMS) are pleased to

announce that FNMS will become TSYS Merchant Solutions, now part of the TSYS family of companies.

The joint venture’s performance has exceeded our highest expectations, and TSYS’ move to acquire the remaining

ownership will further diversify our business. TSYS and FNMS share many similarities — from our corporate cultures

to our commitment to providing today’s global merchants with leading payment solutions.

The acquisition of the merchant solutions company — a top 10 acquirer in the

U.S. — brings TSYS squarely in the middle of where buyers and sellers connect,

as a full-service merchant acquirer. Everything that has made FNMS a leader

in the acquiring industry — its sage leadership and Omaha-based headquarters

— will remain unchanged, but new opportunities abound as we take our business

to the next level.

Get to know us. [email protected]

Introducing TSYS Merchant SolutionsSM


Market Driven[ COVER STORY]

Chevy Chase Supermarket, a 55-year-old family-owned store in Mary-land, made headlines in 2006 when it announced it would embrace RFID technology to let customers pay simply by swiping their phones across checkout sensors.

Ahead of its time? Perhaps. After all, most cell phone manufactur-ers have yet to start including RFID chips in devices. At the same time, large chains increasingly are embracing mobile payment technology, and even the smallest stores should do the same within the decade. Younger consumers will demand the service or shop elsewhere.

“There is a whole generation of kids for whom cell phones are the mecha-nism for communicating with family and friends,” says Scott Goldthwaite, vice president of product management for Long Beach, New York-based Planet Payment. “That’s how money will be moved. It won’t be moved by cash, and they’re not going to Western Union. Mobile phones are rapidly replacing that.”

PayPal, MasterCard, and Amazon have already rolled out pay-by-phone op-tions. And while consumers haven’t exactly rushed to try it out, technology providers expect a boom in technological innovations and demand over the next five to 10 years.

“We’re going to see tremendous widespread adoption in the next five years,” says Paul Sabella, CEO and president, CHARGE Anywhere in South Plainfield, New Jersey.

The joint venture between Verizon, AT&T, and T-Mobile will push mobile pay-ments at the point of sale, says Gwenn Bezard, Aite Group research director. “I imagine we’ll see a few phones introduced this year, with more to come in 2012.”

KE Y NOTES8 Technology providers expect a boom in

technological innovations and demand over the next five to 10 years. But some studies point to a real takeoff in 2012 and $22 billion in mobile POS transactions by 2015.

8 Contactless will soon become a standard feature of any replacement plan. For merchants replacing a terminal now, adding contactless doesn’t cost any more.

8 The current challenge to widespread adoption right now is the lack of infrastructure at the point of sale. Many consumers don’t know mobile payments exist, say some experts.

LARGE RETAILERS EMBRACE MOBILE PAYMENTS WHILE PHONE COMPANIES AND TECH PROVIDERS CONTINUE TO INNOVATE, BUT INFRASTRUCTURE CHALLENGES REMAIN

Market DrivenBy Kim Fernandez



Once that happens, consumers will start asking to use the capabilities in person, and merchants will have to respond.

Tricky Road Ahead“If you look at the United States in regard to the rest of the world, the United States has the largest share of contactless [cell phone] acceptance,” asserts Bezard. “We have about 150,000 locations that are equipped to use contactless technology. That’s not huge, but it’s a start.”

Many merchants will be offered the op-tion to add contactless readers to their pay-ment terminals as they upgrade or replace over the next several years. And because the technology is inexpensive, many will do so without much thought.

“It’s going to become a standard feature of any replacement plan,” he says. “It’s get-ting less and less expensive. If you’re replac-ing a terminal now, it really doesn’t cost any more to add contactless capabilities.”

“POS merchants have been a growing market and will continue to be a growing market,” adds Goldthwaite. “We’ll see a shift in merchants using cell phones, and with more people using Androids and Black Berrys and iPhones, it’ll be more common for people to use a mobile POS device. Cell phones can move faster than stand-alone payments.”

iPhone users can already pay each other simply by bumping their phones together. A simple tap of the two devices transfers cash from one owner’s account to the oth-er’s. That, experts say, will expand to POS sales as consumers embrace the technol-ogy on an even wider scale.

“The challenge with a lot of this is that the infrastructure isn’t there at the point of sale,” says Goldthwaite. “You can’t swipe a phone right now. For the most part, the penetration is quite small when you look at how many merchants have it versus how many don’t use phone payments. There’s a one out of 25 chance you’ll find it at a mer-chant. So if you’re building whole mobile phone payments around the mobile phone as credit card, the infrastructure isn’t there yet and it’s going to be very difficult.”

It’s something major merchants have al-ready discovered. Because more merchants haven’t installed readers, phone manufac-turers haven’t installed the proper chips into devices, and consumers have no idea

the option even exists.“Two years ago, we saw a big buildup

of tier-one acceptance,” he says. “That really dropped off. Best Buy turned theirs off. It’s a huge challenge for merchants.”

Best Buy embraced Visa contactless pay-ments and installed the system in all of its stores in 2008. But when Visa began de-manding more expensive signature rates for the transactions in 2009, Best Buy pushed back, eventually removing the sys-tem from its stores.

Surging ForwardWhile the challenges have yet to be re-solved, a new generation’s demand for

phone payments will force everyone to negotiate and settle on a workable system.

“Consumer mobile payment now is re-ally scratching the surface of what it will be in time,” says Sabella. “Right now, people can do e-commerce on their phones. They can go to a Web site and buy a ticket or load value on a card, but that’s just using the Internet to facilitate a purchase on a phone. We’re starting to see what buying online really is in a mobile environment.

“The technology is getting ripe for those kinds of payment systems,” says Sabella, adding that many of the security “wrinkles have been ironed out. So now, it’s a matter of implementation in some cases, and of

[ COVER STORY]

“Ten years from now, the generation that’s growing up won’t know what a credit card was. They won’t know what a dial tone was. It’ll take that long for the infrastructure to be rebuilt and make sure POS retailers have readers.” —Scott Goldthwaite, Planet Payment


figuring out business rules and how com-merce will be conducted in respect to the different brands of card issuers.”

Bezard says he anticipates more accep-tance when merchants realize how much they could do with contactless payments, and consumers figure out that they have the technology at all.

“I don’t think people are familiar with it,” he says. “Awareness remains extremely low even though millions of cards have been issued and even though people carry them around. As a contactless chip becomes available, things are going to change. You’ll be able to do a lot more things with the phone, and create a value that wasn’t there before.”

That includes improving communica-tion between consumers and merchants, he says.

“Merchants will be able to offer coupons that way and bump up the communication between merchant and customer,” he says. “People will consolidate their payment forms, adding gift cards to their mobile wallets. Starbucks is already offering peo-ple the option to reload their cards while they’re in line with their phones. That’s a mobile application that provides value

above and beyond what people see now.”And as more merchants introduce similar

systems, he says, the possibilities will only grow.

“Merchants will be able to communicate better with consumers,” he says. “You’ll be able to push special offers directly to them and then track how they’re using those offers. It’s not so much about the payments themselves, but about tying to-gether payments and coupons. That’s all just emerging.”

Bezard cites studies that predict mobile payments will really take off in 2012, and that $22 billion in mobile POS transactions are anticipated by 2015. Sabella agrees, saying the technology will increase both as younger consumers demand it, and as people upgrade their phones at the end of two-year contracts.

“I think our kids are more likely to do this in five or 10 years than we are,” he says. “What’s the life cycle of a phone? How fast are phones going to rotate through? Really, what we should be looking at is the phone and the life of a contract, and how many two-year increments are going to cycle through before people have the phones they need to make payments. I think we’re

looking at two to eight cycles.”And demographics will play a key role

as well. “I think people in the first genera-tion of this will still want to swipe their credit cards,” he says. “I mean, my father still writes a check when he shops. He stands in the bank and talks to the people in the bank. Younger people don’t go into banks at all.

“There is a lot of interest in this, and I think in the next five years, we’ll see a lot of neat things with it,” he says.

“Ten years from now, the generation that’s growing up won’t know what a credit card was,” says Goldthwaite. “They won’t know what a dial tone was. It’ll take that long for the infrastructure to be rebuilt and make sure POS retailers have readers.”

“The phone will be the only payment mechanism that demographic has,” he says. “If retailers want their business, they’ll up-grade their infrastructure to accept it. It’s the only way those customers will want to pay, and it’s the new mechanism for retail-ers to invest in.” TT

Kim Fernandez is a contributing writer to Transaction Trends. Reach her at [email protected].

KE Y NOTES8 Remediation of PCI DSS

compliance deficiencies can run upwards of $30,000 or more. And ongoing monitoring, including system scans, adds up to $500 to $2,000 monthly.

8 ISOs have to address and debunk common myths that prevent merchants from addressing PCI compliance—such as the myth that only large retailers are affected.

8 Communicate with merchants on a regular basis about data security and compliance, experts say. E-mail, direct mail, and, most importantly, phone calls are all essential education tools. “Be in their face about it,” says someone who knows.

8 ISOs must position PCI compliance as a critical component of an overall comprehensive security strategy.

Compliance with the Payment Card Industry Data Security Standards (PCI DSS) continues to be a problem for small- and medium-size (Level 4) mer-

chants. Only 29 percent of small business owners are truly aware of the PCI compliance standards and only 11 percent are actually in compliance, according to a recent poll by the Payment Card Industry Security Standards Council. Meanwhile, statistics released by Visa USA indicate that more than 80 percent of the association’s noncompliance issues origi-nated with Level 4 merchants.

Sticker shock may indeed be a culprit here: Sources report that while completion of the PCI DSS Self-Assessment Questionnaire (SAQ) doesn’t amount to much, even if a Qualified Security Assessor (QSA) is commissioned to assist with the process, remediation of defi-ciencies (including technology implementa-tion) can run upwards of $30,000 or more. And ongoing monitoring, including system scans, adds up to $500 to $2,000 monthly. Other factors, ranging from erroneous as-sumptions to a lack of knowledge of what PCI is truly about, also come into play, but

there are steps ISOs can take to nudge mer-chants onto the compliance path.

➀ Explain the financial conse-quences of noncompliance. Small- and medium-size merchants are less likely to balk at PCI-related expenditures when ISOs share in detail the cost of ignoring the mandates, says Tim Horton, vice president, product fam-ily manager, TransArmor and security services, at Atlanta-based First Data Corp. “The more explicit the information, the more attractive an investment in compliance becomes.”

Point out that the “meter” starts to tick not when a data breach actually occurs, but at the moment a merchant is even suspected of having experienced one. Depending on the complexity of systems involved, a mandatory forensic investigation by PCI DSS-certified security examiners can bring a business to a halt for several days to several weeks, im-peding sales, profitability, and productivity. Merchants must cover the cost of such an examination, no matter what its outcome. Sources peg the investigation tab for a Level 4 merchant at $8,000 to $20,000, based on the breadth of the procedures performed and

Five strategies to help Level 4 merchants overcome PCI compliance barriers

By Julie Ritzer Ross

[ FEATURE]


CoaxingCompliance


the particular systems evaluated.Moreover, should examiners discover

that a breach has indeed occurred, the af-fected merchant will shoulder additional expenses, including $3 to $10 per replace-ment card; $5,000 to $50,000 or more in compliance fines; and other fines levied for actual fraudulent use of compromised card numbers. “Merchants need to under-stand that noncompliance expenditures are significant enough to ruin a small busi-ness very fast,” especially given that “these numbers do not take into account potential public relations damage and lawsuits,” as-serts Mike Meikle, CISSP, CEO of the Hawk-thorne Group, a boutique management and technology consulting firm headquartered in Richmond, Virginia.

In discussing the financial perils of non-compliance, Meikle adds, ISOs might ex-plain to merchants that adherence with the mandates “provides a ‘safe harbor’ from many of the fines or penalties levied, as long as the firm breached was PCI compli-ant at the time of the incident.” ISOs should equate the “reverse image of ‘safe harbor’ with the ‘death penalty,’” because if a mer-chant is discovered to have been grossly negligent in its security practices, it can be permanently banned from accepting credit cards, Meikle advises.

➁ Address and debunk common myths that also prevent many mer-chants from addressing PCI compli-ance head-on. These include:• “Data breaches only affect larger retail-

ers.” Quite the opposite is true. Level 4 merchants outnumber their Level 1, Level 2, and even Level 3 counterparts, render-ing them a more frequent target of card-holder data compromise. Anecdotal evi-dence from Visa lends credence here. The association continues to identify small merchants as the group most commonly victimized by hackers, according to Jen-nifer Fischer, senior business leader, pay-ment system security compliance. And smaller merchants’ general lack of tech-nology savvy only increases their appeal to perpetrators of data breaches, experts assert.

• “One data breach won’t have a lasting effect on the business.”Nothing could be farther from the truth. Contrary to what

at SafeNet, a Belcamp, Maryland-based vendor of network security and encryp-tion products. “Although it is critical that terminals, gateways, shopping carts, and the like be PCI compliant, compliance as a whole doesn’t stop there,” Tumulak says. “The documentation piece is just as important.”

➂ Educate, educate, and educate some more. Merchants’ view of PCI com-pliance as a “scary, very technical” matter, coupled with their lack of understanding about “what happens to payment data after a transaction is completed,” is as much an impediment to jumping on the bandwagon as sticker shock, misconceptions, and other factors, insists Ron Schmittling, principal, security and privacy, at St. Louis, Missouri-based financial services and business con-sulting firm Brown Smith Wallace LLC.

To best overcome these obstacles, Schmittling suggests ISOs launch multi-faceted educational campaigns that may include e-mail messages, direct-mail pieces, and phone calls to merchants about data security regulations. “Com-municate with merchants on a regular basis about data security and compli-ance,” he emphasizes. “You may have to be in their face about it. The myth that PCI compliance is voluntary is a big hurdle to get over. “

In Schmittling’s experience, e-mail and direct mail should represent a portion of ISOs’ merchant communication endeavors, but the bulk of education is best delivered by telephone and will likely be more effec-tive at increasing compliance rates among small merchants. “Many small merchants believe the PCI requirements are highly technical,” he says. “When they see an e-mail, they get scared and think the topic is too complex. However, when the phone rings, they tend to feel they can manage the conversation. If you send a merchant a letter or e-mail, it is a passive contact that he or she can set aside. On the telephone, it’s not so easy.”

➃ Avoid the technology “hard sell.” Whether in the course of educating merchants about PCI mandates in general, or not, some ISOs tend to make the mistake of aggressively touting technology. This

many smaller merchants may assume, a Level 4 merchant need suffer only one confirmed security breach before being forced to meet Level 1 compliance stan-dards. In the Level 1 category, the cost of achieving and maintaining compliance, as well as fines for security breaches, can total millions of dollars.

• “Our low transaction volume doesn’t war-rant compliance.” No merchant can make this claim, unless it doesn’t accept credit cards at all. Processing even a single credit card transaction each year puts retailers and other entities within the scope of PCI compliance, notes Ed Moyle, co-founder and partner of Security Curve, an Am-herst, New Hampshire-based information security services company.

• “Using a third-party processor constitutes an automatic exemption from PCI com-pliance mandates.” Admittedly, partnering with a third-party processor may decrease merchants’ exposure to risk, in turn sim-plifying efforts to validate compliance, but it doesn’t otherwise exempt them from PCI DSS compliance requirements.

• “Utilizing PCI-compliant technology at the physical point of sale and/or PCI-compliant shopping carts and payment gateways online yields PCI compliance by default.” While this may be the case, merchants must be reminded that PCI guidelines also dictate implementing measures to ensure the physical security of networks and payment technology as well as the maintenance of written security policies, observes Derek Tumu-lak, vice president, product management,

[ FEATURE]

“Communicate with merchants on a regular

basis about data security and compliance.

You may have to be in their face about it. The

myth that PCI compliance is voluntary is a big hurdle to get over. “—Ron Schmittling, Brown Smith Wallace


Q What is the Payment Card Industry Data Security Standard (PCI DSS), and what

type of merchants must comply with it?

A: Administered and managed by the Payment Card Industry

Security Standards Council, PCI DSS is a set of mandates

intended to ensure all entities that process, secure, or transmit

credit card information maintain secure environments for

such data. No company with a Merchant ID (MID)—even one

that only handles credit card information via telephone—is

exempt from it.

Q What basic steps can smaller merchants take to address data security, without

incurring major expenditures?

A: They should take these steps:

n Use PCI-compliant technology.n Secure cardholder transactions, encrypting all cardholder

data during transmission. n Conduct regular Web application and vulnerability scans.

If your organization has Internet-facing IP addresses,

conduct scans regularly to identify and address any critical

vulnerabilities. n Avoid electronic storage of credit card data, unless you

have a compelling business reason to do so.n Allow sensitive customer information to be accessed only

by those employees whose position warrants.

Q What must Level 4 merchants do to become PCI compliant?

A: The minimum requirement for a Level 4 merchant is to

complete a PCI DSS Self-Assessment Questionnaire (SAQ) on

an annual basis, achieve a passing score, and remediate any

areas of “failure.” Merchants that electronically store cardhold-

er information and/or utilize transaction processing systems

with any Internet connectivity whatsoever must arrange for

quarterly scans by an Approved Scanning Vendor (ASV).

Q What is an Approved Scanning Vendor (ASV)?

A: Approved Scanning Vendors are organizations that vali-

date adherence to certain PCI DSS requirements by perform-

ing vulnerability scans of Internet-facing environments of

merchants and service providers.

Q What is a Qualified Security Assessor (QSA)?

A: A Qualified Security Assessor is an organization that that

has been qualified by the PCI Security Standards Council.

QSAs have been certified by the Council to validate an entity’s

adherence to the PCI DSS.

Q Where can I find more information and updates?

A: Check out these Web sites.

n PCI Security Standards pcisecuritystandards.org

n PCI Knowledge Base knowpci.com

n PCI Self-Assessment Questionnairepcisecuritystandards.org/saq/instructions.shtml

n PIN Entry Devicespcisecuritystandards.org/security_standards/ped/index.shtml

n Payment Application Data Security Standardpcisecuritystandards.org/security_standards/pa_dss.shtml

n Visa (Risk Management)usa.visa.com/merchants/risk_management/cisp.html

n MasterCardmastercard.com/us/sdp/index.html

n American Express (Merchants)americanexpress.com/merchant

n List of Qualified Security Assessors (QSAs)pcisecuritystandards.org/pdfs/pci_qsa_list.pdf

n List of Approved Scanning Vendors (ASVs)pcisecuritystandards.org/pdfs/asv_report.html

PCI Compliance FAQUse this cheat sheet to educate Level 4 merchants in your company’s portfolio


does little more than scare them off, says Tim Cranny, PhD, CEO of Panoptic Security, a Salt Lake City-based provider of online PCI compliance solutions. Discussing, in detail, how individual solutions address dif-ferent security vulnerabilities, and propos-ing various alternatives (such as removing transaction data from the scope of PCI us-ing technology as a linchpin) is a far more effective approach, Cranny says, noting that Panoptic and many other vendors partner with ISOs and resellers to share with them the information needed to position technol-ogy in this fashion.

“For the most part,” proposing solutions that remove data from the scope of PCI “has been overwhelmingly successful,” says Shawn Chaput, lead QSA with Vancouver, British Columbia-based Qualified Security Assessor Privity Systems Inc. “If, for instance, the magnetic stripe reader encrypted the credit card data immediately and never let connected points of sale obtain PAN, the compliance burden can be reduced. The same is true if card readers are fully man-aged devices that aren’t connected to a point-of-sale system at all, with the ISO re-turning transaction data to (or otherwise in-teracting with) the system over the network

to ensure adequate segmentation and allow appropriate transaction reconciliation.”

In outlining the manner in which various technologies address PCI compliance issues, don’t forget to let merchants know exactly what makes the solutions themselves com-pliant. “Merchants look at this as guidance and not a hard sell so they listen more,” insists Mark Baumann, compliance and in-formation security director at 3i Infotech, a global IT provider with U.S. offices in Edison, New Jersey.

Worth noting as well is how the de-ployment of certain solutions down the road may temporarily increase PCI com-pliance-related expenditures, yet gener-ate savings later on. “Version 2.0 of the PCI DSS, released in October 2010, made only minor changes to the electronic transactions business,” says Jonathan Lampe, vice president, product manage-ment, at Ipswitch, a network and file transfer management solutions vendor in Lexington, Massachusetts. “However, more changes are around the corner when the Payment Card Industry Se-curity Standards Council issues recom-mendations on tokenization of individ-ual credit card fields and point-to-point

encryption. This may force a complete technology refresh across the industry, but will also offer enormous cost sav-ings because the technologies promise to reduce both the scope of PCI compli-ance and the chance for accidental data exposure during transmission.”

➄ Position PCI compliance as part of an overall security solution. For many merchants, the perception of PCI compliance as a component of a strategy for protecting far more than credit card data is the tipping point for acceptance. “We advise our MSPs to explain to their existing customers that data security as a whole is becoming increasingly complex, and that they have many assets—from hu-man resources records, to proprietary ma-terial—to protect,” notes Michelle Wagner, senior vice president, global marketing, for Atlanta-based Elavon. “Then they can go into the ‘whys’ and ‘wherefores’ of all types of security. It sets the acceptance bar higher.” TT

Julie Ritzer Ross is a contributing writer to Transaction Trends. Reach her at [email protected].

[ FEATURE]


Startup Stories: First American Payment Systems »

In today’s competitive electronic payments space, many ISOs/MSPs differentiate themselves from their competi-tors through the sales programs, products, and services they promote. But Fort Worth, Texas-based First American Payment Systems bills itself as one of the few merchant

acquirers that owns every product and service it makes available to the merchant community.

This, along with the company’s strong ISO/acquirer offering and emphasis on diversification in terms of sales and markets served, has placed the ISO/MSP among the top privately owned merchant ac-quirers in the United States. The company has seen consistent year-over-year growth since its inception in 1990, maintains a portfolio of 118,281 merchant clients, and, as of late last year, was projecting a transaction processing volume of $10.8 billion in 2010.

First American Payment Systems was founded by industry veteran Neil Randel, who now serves as chairman/CEO, with a vision of of-fering terminals and credit card payment solutions, as well as other payment solutions and services. “There was nothing like that out there at the time, and the goal was to provide it while also using proprietary methods to support partners,” says Kevin Jones, former vice president, sales and marketing.

The business was built on a varied roster of in-house products, services, and infrastructure. Managers believed this approach would attract merchants and partners not only by providing a one-stop shop for electronic payment needs, but by ensuring a consistently high caliber of “menu items” for customers and sales personnel.

The ISO/MSP’s credit card processing “franchise” spans a mul-titude of merchant categories and structures, including retail, re-tail with tips, restaurants, lodging, e-commerce, MOTO, and auto rental. Debit card and EBT acceptance solutions are available, as are check acceptance services (both conversion and verification, with

or without guarantee), e-commerce solutions (QuickBooks plug-ins, an Internet payment gateway, a “MOTO virtual terminal,” and batch upload), gift/loyalty cards, online reporting, ACH processing, equipment leasing, remote deposit capture, and ATMs. Solutions are branded as FirstPay.Net, FirstView, Secur-Chex, Merimac Capital, FirstFund ACH, and FirstAdvantage, among others. POS equipment is also available for purchase.

Diversifying Sales ModelsA multifaceted sales and sales support model has been equally in-strumental in fostering First American Payment Systems’ growth. The model incorporates more than 175 active ISOs and agents—“the root of the company,” says Jones. The model also includes a direct sales force and a cadre of value-added reseller (VAR) and other dis-tribution partners.

All ISOs and agents receive comprehensive, customized training

Proprietary products and services define First American Payment Systems’ market niche, resulting in year-over-year growth since 1990

By Julie Ritzer Ross

Consistent Growth Mode

First American Payment Systems

Fort Worth, TX

Size of Portfolio: 118,281 merchants

Annual Transaction Volume: $10.8 billion

from a full-time, in-house training specialist with 27 years of ex-perience in the electronic payments industry. “The training pro-gram consists of 18 distinct modules,” Jones explains. “Based on (the breadth of) partners’ own experience, we design and tweak the training using these modules. We then certify them as Bronze, Silver, or Gold,” depending upon their level of participation in First American Payment Systems’ program.

To ensure consistency of procedures and service to merchants, in-person, video, and webinar education is provided to any new sales personnel hired by ISOs and agent organizations after they have signed on with First American Payment Systems. After the training, partners get 90 days of complimentary analysis of new employees’ sales performance, with continuing education and ongoing consulting services.

All ISOs and agents also work with a client relations consultant who helps them formulate, refine, and execute business plans. ISOs and agents can also consult with members of several First Ameri-can Payment Systems teams for assistance in streamlining the mer-chant boarding process and increasing the potential for merchant retention. Other “perks” for partners in this category include online reporting, free income forecasting tools, strategic portfolio advice and analysis, and marketing assistance. Capital infusions for busi-ness expansion are often available, with decisions to allocate funds formulated on a case-by-case basis.

In addition, nonregistered ISOs can take advantage of prebuilt Web sites provided by the acquirer. Partners may provide an image, company-specific information, and their own URLs. “Web sites are a necessity in today’s corporate environment,” Jones says. “Not only do they help to validate a company, they offer pertinent information

and often lead to meaningful business relationships.” To attract sales executives and serve merchants that want local

support, the company has also built a direct sales force of approxi-mately 200 sales executives in 25 brick-and-mortar offices around the United States. A lead generation call center supports an addi-tional 400 sales executives on the acquirer’s staff. “This operation is beneficial to those sales executives who prefer a support structure that includes being provided with warm leads daily and having access to a sales leader who remains available to assist them in meeting any needs merchants may have,” Jones asserts.

While in-house sales staff are trained in much the same fashion as ISOs and agents, VARs and other distribution partners assigned to handle First American Payment Systems’ proprietary gateway, gov-ernment, and not-for-profit business channels are given complete autonomy in getting the job done. “These are dynamic technology firms that have proven to be industry leaders,” Jones notes. “[Un-like us,] they have a laser focus on their area of expertise, so they can continue to drive cuttingedge benefits to merchants in their verticals.”

Entering New VerticalsOver the past seven years, diversification into vertical markets—in-cluding health care, government/utilities, not-for-profit, direct sales, and what Jones deems “virtual terminal/gateway” (e-commerce)—has enabled First American Payment Systems to successfully weath-er recessionary conditions and industry-wide margin compression. Most diversification initiatives stem from the acquisition of existing entities; for example, movement into the direct sales arena occurred when First American Payment Systems acquired Eliot Management

Startup StrategiesKevin Jones’ advice for newbie ISOs:

n Don’t lose focus. Set a strategic sales vision early on, and

don’t be distracted by “flashy” products. Several promising

startups have failed in the past 10 years because constant

changes of direction caused them to deviate from executing

their original plan.

n Take it one step at a time. After devising a business plan,

“block and tackle” daily until you reach each objective and it’s

really time to take the next step.

n Choose partners wisely. Market volatility, emerging PCI

compliance regulations, new IRS reporting obligations, and

the influence of American Express and Discover on business

practices mean that startups have to exercise due diligence

in choosing partners. Commit to fulfilling related responsi-

bilities in-house from day one, or find a trustworthy partner

to manage these obligations well so you can focus almost

exclusively on sales and marketing.

The leaders at First American have a rich background in payment processing and have ensured continued growth of the company by making conservative, yet dynamic decisions.

L to R: Rick Rizenbergs, executive vice president of sales and marketing; Debra A. Bradford, president and CFO; Neil Randel, chairman of the board and CEO; Mike Lawrence, executive vice president and CIO; and Brian Dorchester, senior vice president of operations

Sh

erri

Ves

t

Startup Stories: First American Payment Systems »



Group of Salt Lake City. Acquiring GoEmerchant Services of Cherry Hill, New Jersey, led to First American Payment Systems’ foray into e-commerce by adding virtual terminal and mobile payment solutions, a Web payment gateway, shopping cart functionality, and a QuickBooks accounting plug-in. Bringing on Govolution, an Arlington, Virginia-based company, yielded entrée into the government sector, and the purchase of iATS, a Vancouver, British Columbia, company that provides donation processing for nonprofit organizations in the United States and Canada, brought expansion into the not-for-profit arena.

Some of the acquisitions were First American Payment Sys-tems’ ISO partners. “This has always been a part of our [diversi-fication and growth] strategy,” says Jones. “When we can build a strong relationship with a partner and it wants to exit, it’s natural for us to fold the organization into ours. Just as significantly, we [prefer] that these organizations did not start as departments within First American Payment Systems, but as separate compa-nies that were and are focused and passionate about a [particular market niche]. As such, they have driven best-in-class products and technology that enhance our offering tremendously. These organizations still maintain autonomy today.”

Pushing POS and Value-AddedThe company’s next move is to expand into the POS side. GoEmerchant recently released a version of its mTerminal that lets merchants accept credit card and ACH payments on

Apple iPhone and iPod Touch devices. When Transaction Trends spoke with Jones in late 2010, the MSP was in the midst of fi-nalizing a partnership agreement with a POS equipment vendor. That relationship will enable First American

Payment Systems to offer a “best-in-class” electronic cash reg-ister/computerized POS system. Also in the works is a retail-enabled mobile POS solution.

First American Payment Systems is also exploring additional value-added programs, such as options for charitable giving. Other possibilities will be considered down the road, but not without careful evaluation. “We are always evolving,” Jones says. “In our business, change is a constant. It is imperative to build an organization that is adaptable and can judge the difference between a flashy product that will never take off and one that could change our industry. Presently, we believe that having an organized e-commerce strategy that encompasses a diverse set of tools is important—but we wouldn’t move ahead in this area if we didn’t. It’s all about the right solution.” TT

Julie Ritzer Ross is a contributing writer to Transaction Trends. Reach her at [email protected].

LET US PROFILE YOUR ISOIs your company a successful ISO? Let us tell your story. E-mail [email protected] for more information.


If it’s been said once, it’s been said 1,000 times: The electronic transactions busi-ness is all about connecting. Any encounter you have at the ETA Annual Meeting & Expo can turn into a business deal that could seal your company’s success. It’s the one meeting you can’t afford to miss.

Whether you’re enjoying a golf outing with old friends and potential new partners, listening to a dynamic keynote address, or sitting down with a vendor on the Expo floor, you’re gathering information and striking relationships that could pay off big time for your business. The ETA meeting is the one-stop conference that will connect you with the information, opportunity, and people you need for success.

The 2011 ETA Annual Meeting & Expo is where merchant acquirers, financial institutions, processors, alternative payment providers, value-added resellers, pre-paid companies, and merchant sales teams come together for the most diverse and comprehensive show in the payment industry.

“Everyone knows that the ETA Annual Meeting & Expo is a must-go event for many reasons. All the players in the industry are there in one place at one time, so you can see who you need to see in order to move your business goals along and help others meet their goals,” says Tony Abruzzio, VP, global merchant card services and banking, Recombo Inc. “The key manufacturers and VARs are there with plenty of resources and they are exhibiting their newest products. ETA allows me to do in a few days that which normally could take many months.”

n Education: Each year, ETA offers an impressive lineup of speakers and sessions designed to help you identify new opportunities, predict trends, and get ready

ANNUAL EVENT PLANNED FOR

MAY 9-12 WITH GREAT SESSIONS, A FULL EXHIBIT

HALL, AND PLENTY OF NETWORKING OPTIONS

[ FEATURE]

San DiegoLet’s Go to


for coming challenges. The 2011 meeting is no excep-tion. You’ll hear from industry leaders who will discuss the changing regulatory environment, the challenges of merchant compliance, combating fraud and its innovative perpetrators, global opportunities, and so much more. “It’s really the best single source to keep up with what’s going on in the industry, conduct market research, and learn about new products and players in the market-

place,” says Mary Wining-ham of Mirror Consulting.

n Exhibits: More than 180 exhibitors will dem-onstrate their products and services and fill you in on how their businesses can help yours. Exhibi-tors will tell you: Deals get done here. Don’t miss out on what could be the next big thing.

n Networking: ETA al-ways includes a wide ar-ray of special networking events, including a highly popular and competitive

golf tournament, a well-attended opening night celebra-tion, a star-studded President’s Dinner, and, special this year, the ETA “Party on the Harbor.” But some of the best networking opportunities can happen anywhere.

Don’t miss out on the one conference you have to at-tend this year. Visit www.electran.org to register today. TT

REGISTER NOWVisit www.electran.org

Schedule AT-A-GLANCE9am-12pm ETAU—Introduction to Electronic Processing9am-12pm ETAU—Acquiring Payments Risk/Fraud Management: Tactics & Trends1-4pm ETAU—Introduction to Operations1-4pm ETAU—PCI Compliance for the Small (Level 4) Merchant

8am-12pm Golf Tournament8am-5pm Compliance Day8am-5pm Prepaid Day8am-5pm Investment Community Forum9am-12pm ETAU—Introduction to Sales and Marketing9am-12pm ETAU—Data Security Essentials1-4pm ETAU—Introduction to Technology1-4pm ETAU—Sales Channel Development4:30-5:30pm Welcome Reception for New Members, First-Time and International Attendees5:30-7:30pm Opening Reception in Exhibit Hall6:30-7:30pm Technology Product Showcase7:30-10pm President’s Dinner: ETA Star Awards and Volunteer Recognition

10:30am-6pm Exhibit Hall open10:30-11:30am The Brave New World of Government Regulation11:45am-12:45pm Regulatory Update, Part 1: Interchange11:45am-12:45pm Merchant Acquiring 2015: A Look Toward the Future1:30-2:30pm Regulatory Update, Part 2: Market Landscape1:30-2:30pm Navigating the Wonderful World of PCI/Fraud2:45-3:45pm The Challenges of PCI Compliance2:45-3:45pm Going Global: Guidelines to Navigate the International Marketplace4-5:00pm Mobile Payments: Leveraging the Opportunity4-5:00pm e-Commerce Processing: Current Opportunities, Trends, and Challenges5-6:00pm Happy Hour6-9:00pm ETA/Discover Party on the Harbor

9am-10pm Exhibit Hall open9:30-10:30am Tweets, Posts, and Networking: Social Media in Payments9:30-10:30am How to Build a Successful Sales Program10:45-11:45am New Revenue Opportunities10:45-11:45am TBD12-1:00pm ETA: Your “Go-To” Resource for the Payments Industry12-1:00pm EMV Chip—A Global Update

Visit www.electran.org to register. Rates are $745 for members and $1,145 for nonmembers. Check the Web site for group and single-day rates. Special fees apply to certain activities and events, including ETA University (ETAU) sessions, Compliance Day, Prepaid Day, Investment Forum, and special outings. Hotel reservations are available at the Hilton San Diego Bayfront (headquarters hotel) for $225/night. Visit www.hiltonsandiegobayfront.com. For other hotels, go to the ETA Web site. For additional information about registration, e-mail [email protected] or call 866.ETA.MEET.

“I have made more contacts at the ETA Annual Meet-ing & Expo than any other single industry gather-ing, and I have closed more busi-ness than at any other time during the year.”

—John Wiegand, Merchant Capital Access

Mon

day,

May

9Tu

esda

y, M

ay 10

Wed

nesd

ay, M

ay 11

Thur

sday

, May

12

Just Announced: Sen. Chris Dodd to KeynoteFormer U.S. Senator Christopher Dodd will be the keynote speaker at the Wednesday general session.

Dodd is best known in the electronic payments industry for the Dodd-Frank Act, the law that was the vehicle for the Durbin amendment on debit card fees and created the Consumer Financial Protection Bureau. But he also helped write the Sarbanes-Oxley Act, which strengthened accounting and management standards for publicly held companies and many other significant pieces of legislation, especially regarding children’s issues, civil rights, voting rights, and privacy protection, including financial data security issues. He is a veteran of the Peace Corps, and ran for President in 2007-08.

In San Diego, Dodd will discuss the rationale behind the Dodd-Frank legislation, prospects for changes to parts of the law, and what the payments industry can expect next from the current Senate and Congress—and field questions from the audience.


Here we are, on a new path. Never before has the Feder-al government regulated the industry so directly. Never has a governmental agency

picked apart how the payment system works. Never has the government mandated operational aspects of card processing. The Durbin Amendment, and the regulation pro-posed by the Federal Reserve Board, do all that. Set forth below is a summary of the 177 page proposal published by the Board.

Enacted in July, 2010, the Dodd-Frank law requires the Federal Reserve Board (Board, or FRB) to issue regulations implementing the statute. To draft the regulations, the FRB met with industry constituencies and gath-ered information through surveys of pay-ment system participants. For the first time in history, the Board held a webcast of the meeting at which the proposed regulations were released. The proposal requests com-ment on them, which the Board will con-sider before promulgating final regulations.

The proposal, published on Dec. 17, 2010, does three things. First, it establishes standards for determining whether a debit card interchange fee received or charged by an issuer is reasonable and propor-tional to the cost incurred by the issuer. Second, it prohibits issuers and networks

from restricting the number of networks over which a debit transaction may be processed. And third, it prohibits issuers and networks from inhibiting the ability of a merchant to direct routing of a debit transaction. The law requires the Board to publish final regulations by April 21, 2011, to be effective by July 21, 2011.

ScopeThe first order of business is to clarify what the proposed regulation will cover.

It is debit, and generally not credit, cards that are subject to the law. But let’s be clear: this means both PIN debit and signature debit cards. Debit cards subject to the Act are more than just cards—they include other payment codes, such as an account number, issued through a payment card network to debit an account.

General-use prepaid cards, known as net-work branded prepaid cards, are included in the definition of debit cards as are decou-pled debit cards (cards where the issuer is not the institution that holds the underlying account being debited) and deferred debit cards. Specifically excluded from the defini-tion of a debit card are gift cards that can be used only at a limited number of merchants, checks, and ACH payments.

There are two categories of transactions

that, although technically covered by the law, the Board does not quite know how to handle: ATM transactions and closed loop card transactions. The proposed rule cov-ers debit card transactions that debit an account. And technically, since ATM cards are used to debit an account, ATM transac-tions are covered by the law. The Board rec-ognizes the difficulties in applying the law to ATM transactions, and therefore has not decided whether ATM transactions should be included in the final regulation. Note that even if ATM transactions are covered in the final rule the interchange fee restric-tions would not apply to ATM networks, although the network-exclusivity prohibi-tion and routing provisions, discussed be-low, would.

Just like ATM transactions, closed loop transactions are technically covered by the law. Again, the Board had a difficult time trying to apply the language in the law to closed loop systems. So the proposal asks for comments on whether closed loop transactions should be included within the final regulation.

Reasonable and Proportional Interchange FeesThe law requires that the Board set stan-dards for determining the amount issuers

By Holli Targan, Jill Miller, and Sarah Weston

[ FEATURE]

Debit InterchangeProposed Regulation Dissected


may receive or charge for a debit trans-action, mandating that the fees must be “reasonable and proportional to the cost incurred by the issuer with respect to a particular transaction.” In determining if a fee is reasonable and proportional, the law directs the Board to distinguish between incremental costs incurred by issuers in the authorization, clearing and settlement of debit transactions, and other costs which are not specific to authorization, clearing and settlement.

By law, the interchange fee restrictions do not apply to three broad categories: cards issued by institutions with less than $10 billion in assets; transactions using cards under government-administered pro-grams; and reloadable, general use prepaid cards not marketed or labeled as gift cards.

So what is the “interchange transaction fee”? This is defined in the proposal as any fee established, charged or received by a payment card network for the purpose of compensating an issuer for its involvement in a debit card transaction.

AlternativesNot settled is a method for determining whether an interchange fee is “reasonable and proportional.” The proposed rule gives two suggestions. Alternative 1 permits each issuer to determine the maximum fee it may receive for a debit transaction by cal-culating its variable costs. The Board stated that the only costs it should consider in determining allowable costs are those that specifically relate to authorization, clearing and settlement. Allowable costs do not in-clude those that are not specific to a par-ticular transaction or that are not incurred for authorization, clearing and settlement.

This alternative states that an issuer may not receive more than $0.12 per debit transaction. It also provides a “safe harbor” of $0.07 per transaction for issuers that do not want to calculate their specific al-lowable costs. This means that if an issuer decided not to calculate its costs, it could receive $0.07 per transaction, and still com-ply with the law.

Alternative 2 has the same $0.12 cent per transaction cap but eliminates the requirement that each issuer calculate its costs. Under Alternative 2, any interchange fee at or below $0.12 would be permitted. Implementation of this method places less

[ FEATURE]

administrative burden on industry partici-pants because each issuer would not be required to compute its allowable costs.

How did they arrive at those numbers? The Board used the survey responses which indicated that the median per-transaction to-tal processing cost was $0.13 for all types of debit and prepaid card transactions; the 50th percentile of estimated per-transaction variable costs was approximately $0.07. The cap of $0.12 was selected because it sig-nificantly reduces the current interchange fees charged and it allows for recovery of per-transaction costs for approximately 80 percent of covered issuers.

The Board set forth two other potential methods for implementing the interchange fee standards. Under the first approach an issuer could receive varying interchange fees as long as the average for all its trans-actions was at or below the standard set by the Board. Under the second approach an issuer would comply as long as, on av-erage, over a specified period, all covered issuers on a particular network meet the fee standard, taking into account all of that network’s mix of transactions. In other words, compliance would be evaluated at the network level, as opposed to at the in-dividual issuer level.

The proposed rule contains a general prohibition against circumventing the in-terchange fee restrictions, and specifically prohibits issuers from receiving “net com-pensation” from networks. Net compensa-tion means the total amount of compensa-tion provided by the network to the issuer, such as per-transaction rebates and incen-tives, that exceed the total amount of fees paid by the issuer to the network. The pro-posal discusses whether increases in fees charged by a network to acquirers should be considered circumvention of the fee

restrictions. For example, a network could increase switch fees charged to acquirers to offset the decrease in interchange fee in-come. The Board believes that such action would not necessarily indicate circumven-tion because issuers would not be permit-ted to receive net compensation from the network.

Fraud Prevention AdjustmentThe law allows an adjustment to the in-terchange restrictions if the adjustment is reasonably necessary to make an allowance for costs incurred by the issuer in prevent-ing fraud, and the issuer complies with fraud prevention standards established by the Board.

The proposal does not specify provisions to implement this adjustment, which will be in addition to interchange. Instead, the Board set forth two approaches regarding the fraud prevention adjustment.

The first approach, the technology spe-cific approach, would allow issuers to re-cover costs incurred for implementing ma-jor innovations that would likely result in substantial reductions in fraud losses. The rule would establish specific technologies that an issuer must employ to be eligible to receive the adjustment. The second, or non-prescriptive approach, would not prescribe specific technologies but would require is-suers to take steps necessary to maintain an effective fraud prevention program.

There are several pages of questions requesting comments on the fraud adjust-ment. For example: What type of technolo-gies should be considered if the board adopts the technology specific approach? Should a cap and safe harbor be used? We expect to see another round of proposed regulations and comment period regarding the fraud adjustment.

What is the “interchange transaction fee”? This is defined in the proposal as any fee es-tablished, charged, or received by a payment card network for the purpose of compensat-ing an issuer for its involvement in a debit card transaction.

transaction_trends_2010_v1.indd 4 12/3/10 3:08 PM


Limits on Payment Card RestrictionsThe second major subject of the law relates to limits on payment card restrictions. Note that the statutory exemptions for small is-suers, government administered cards and reloadable prepaid apply only to the fee restrictions, and not this. So the below network exclusivity and merchant routing restrictions apply to those, as well as to all PIN and signature debit transactions.

By the way, there are two clauses in the law that the proposal states are self-execut-ing and not subject to Board’s rulemaking authority, so the proposal does not discuss these. The first is that the networks cannot prevent merchants from offering discounts based on method of payment tendered. In other words, discounts for payment cannot be prohibited. The second is that the net-work rules cannot prevent merchants from setting minimum or maximum transaction amounts on credit card transactions.

Network ExclusivityThe law prohibits an issuer or network from restricting the number of networks on which a debit transaction may be pro-cessed to fewer than two unaffiliated net-works. So, by law, every debit transaction has to be able to be processed on two unaf-filiated networks. Easy to say, difficult to im-plement. The proposal requests comment on alternative approaches for determining whether there are at least two unaffiliated networks available to carry a transaction.

Under Alternative A, every card must have at least two unaffiliated networks available for processing a debit transaction, no matter the authorization method. Under Alternative B, every card must have at least two unaffiliated payment card networks available for each authorization method.

An issuer could comply with Alternative A by offering on each card one signature network and one unaffiliated PIN network, or having two unaffiliated signature net-works or two unaffiliated PIN networks. The advantage of this alternative is that it would avoid significant compliance costs and will be less likely to necessitate ma-jor changes to existing infrastructure. The drawback is that only two of the 8 million merchants are capable of accepting PIN, and PIN is not available for certain mer-chant categories or types of transactions.

So if a card had one PIN and one signature network, that card effectively can only be processed over one network, which defeats the merchant routing choice mandated by the law.

Under Alternative B, a card must have at least two unaffiliated payment card networks available for each authorization method. So issuers would comply by hav-ing two PIN networks and two signature networks on each card. The advantage is that this would facilitate the merchant routing choice. But it would require major changes to network and processor infra-structure, as currently the systems cannot handle multiple signature networks on the same card. The Board recognizes that enabling multiple signature networks may not be feasible in the short term because it would require replacement or reprogram-ming of millions of merchant terminals and changes to software for networks, issuers,

acquirers and processors to support mul-tiple signature networks.

Not acceptable under either alternative are networks with limited geographic scope, such as regional networks, nor networks accepted at limited category of merchants, like a supermarket chain. Note that if two networks on a card merge, the card would no longer be compliant and an unaffiliated network must be added within 90 days.

Merchant Routing RestrictionsThe law requires regulations to prohibit an issuer or network from directly or indirectly inhibiting a merchant’s ability to route debit transactions through any network that may

process the transaction. This will involve a major shift in the industry, as currently rout-ing choice is determined by issuers. The pro-posal sets forth practices that would inhibit a merchant’s ability to route. In particular, networks cannot: 1) prohibit steering, 2) re-quire that the transaction be routed over a specific network, or 3) require a particular method of authorization based on the ac-cess device provided by the cardholder.

The Board recognized that real time merchant routing decision making is not feasible, and advocates routing decisions determined in advance and set between the merchant and the acquirer for all of that merchant’s debit transactions.

Two different proposed effective dates for network exclusivity and routing are suggested, depending on the alternative selected: Oct. 1, 2011 for Alternative A and Jan. 1, 2013 for Alternative B because mul-tiple signature networks will be required

for each card, and they recognize it will take time to get the systems in place.

That, in a nutshell, is how the FRB pro-poses to implement the Durbin Amend-ment. Absent a change to the law, final regulations should be published by April 21, 2011. Stay tuned. TT

Holli Targan, Jill Miller, and Sarah Weston are attorneys at Jaffe, Raitt, Heuer & Weiss, P.C., concentrating their practices on payment systems compliance, contract, and merger and acquisition law. You may reach them at www.jaffelaw.com, or 248/351.3000.

Debit cards subject to the Act are more than just cards—they include other payment codes, such as an account number, issued through a payment card network to debit an account.

Editor’s Note: Former U.S. Senator Christopher Dodd will be the keynote speaker at the 2011 ETA Annual Meeting and Expo. He will be answering questions about the Durbin amendment and other aspects of the Dodd-Frank Act. For more information, visit www.electran.org.

[ FEATURE]

Company Page Phone Web

Authorize.Net C2 866-437-0491 www.authorize.netDiscoverNetwork 1 224-405-0900 www.discovernetwork.comElavon 25 678-731-5236 www.elavon.comElectronicMerchantSystems C3 800-726-2117 www.emscorporate.comeProcessingNetwork,LLC 16 800-296-4810 www.eprocessingnetwork.comFirstAmericanPaymentSystems 2 866-GO4-FAPS www.go4faps.comFirstData/CARP 5 1-800-298-3025 www.firstdatapartners.com/partnersPacNetServicesLtd. 11 604-689-0399 www.pacnetservices.comPlanetPayment 19 516-670-3200 www.planetpayment.comSecurityMetrics 13 801-724-9600 www.securitymetrics.comTotalMerchantServices,Inc C4 888-84-TOTALx9411 www.upfrontandresiduals.comTSYS 7 706-644-4422 www.tsys.comUSAePay 22 866-872-3729 www.usaepay.com

Advertisers index

etA 2010-2011 BOArd OF direCtOrsOFFICERS

PRESIDENTRick Pylant

Chairman&PresidentCOCARDMarketingGroupLLC

PRESIDENT-ELECTEddie Myers

President&COOPaymentProcessingInc.

TREASURERRoy Banks

CEOACCELERATEDPaymentTechnologiesInc.

SECRETARYTom A. WimsettChairman&CEO

J&TVentures

IMMEDIATE PAST-PRESIDENTHolli Targan

PartnerJaffe,Raitt,Heuer&WeissP.C.

DIRECTORSTodd Ablowitz

PresidentDoubleDiamondGroup

Robert BaldwinPresident&CFO

HeartlandPaymentSystemsInc.

Gregory CohenPresident

MonerisSolutions

Gary GoodrichCEO

ProPayInc.

Kim FitzsimmonsSeniorVicePresident—FirstDataServices

FirstDataCorporation

Robert McCullenCEO

Trustwave

Diana MehochkoPresident

TSYSMerchantSolutions

Jeff RosenblattPresident

EVOMerchantServices

Debra RossiExecutiveVicePresident

MerchantPaymentSolutionsWellsFargoBank

Kurt StrawheckerManagingDirector

TheStrawheckerGroup

ADVISORYCOUNCILTom Bell

CEOBankofAmericaMerchantServices

Donald BoedingPresident—MerchantServices

FifthThirdProcessingSolutions

Chuck HarrisPresidentNetSpend

Chris HylenGeneralManager&VicePresident

Intuit

Mike PassillaPresident&CEO

Elavon

EX-OFFICIOCarla Balakgie

CEOElectronicTransactionsAssociation

Jan EstepPresident&CEO

NACHA

Sameer Govil HeadofAcceptanceSolutions

GlobalAceptanceVisaInc.

Steve CarnevaleSeniorVicePresident/GroupHeadCommerce

DevelopmentMasterCardWorldwide

Ron ShultzVicePresident

AmericanExpress

Gerry WagnerVicePresident

DiscoverFinancialServices

LEGALCOUNSELDave Goch

AttorneyatLawWebster,Chamberlain&Bean



Flexibility and a commitment to customer service, rather than advertising, have propelled verifi inc.’s successful history. Founded in 2005, the Los Angeles-

based company specializes in a wide variety of fraud man-agement services for card-not-present (CnP) merchants.

“Historically, we’ve done very little marketing,” says Cory Capoccia, vice president of strategic partnerships. “We get a lot of direct referrals. We work with the different

acquirers, the issuing banks, and we work closely with different vendors in the transaction supply chain on shopping carts, management sys-tems, and call centers.”

One of verifi’s biggest business lines is representing vendors in chargeback situations.

“this is an ever-present prob-lem for merchants in a CnP envi-ronment,” says Capoccia. “As more and more are moving toward online and e-commerce, we’re seeing a lot of consumers having less loyalty to merchants in general. they’ve been trained to find the path of least re-sistance, and they realize they can flip over the credit card or go online

through a Web portal to dispute charges for any reason.”

Individualized Servicesverifi sees three main types of chargeback fraud: friendly fraud, when the consumer legitimately makes a purchase but later claims they didn’t receive the item; family fraud, when a child uses a parent’s card to run up bills and the parent later disputes the charges; and true fraud, when purchases are made using a stolen card number.

“When a consumer goes to the site, we try to provide our clients with as many different data points as they can possibly interpret—information about that consumer and his or her shopping past—so that the merchant can make a decision about accepting that charge,” says Capoccia.

“We can layer in both proprietary and third-party ven-dor technology to provide a layered solution that uses different technologies,” he continues. “that enables mer-chants to customize their own thresholds and decide if they want to be more relaxed or more guarded as they

Industry InsIder

Risk and RewardFlexibility and a commitment to customer service drive Verifi’s risk-management businessByKimFernandez

consider new customers.”the company also offers location information, de-

vice fingerprinting, and the use of internal databases to further investigate individual consumers. this allows merchants to decline high-risk customers or flag them for manual approval and a more detailed order confir-mation process.

“i use the term ‘risk’ very broadly,” Capoccia notes. “We look at risk as being made up of a number of different components,” such as risk of refund, risk to profitability, and risks of chargebacks. For the latter, verifi will take a personal approach for clients who opt for that service.

“We have an in-house team that merchants can out-source chargebacks to,” he says. “they’ll fight chargebacks when we believe the original charge was good, and help merchants to recover that revenue.”

Forward Thinkingin the future, Capoccia believes merchants will need to face down new forms of fraud, including those stemming from increased international transactions and mobile payments.

“e-commerce cannot continue to be domestic,” he says. “Merchants will have to accept global-level transactions, and very little is understood by merchants, traditionally, in terms of the risks involved in accepting international transactions.”

the ubiquity of cell phones also is a source of both opportunity and risk.

“every time we see a phone come out, it’s with new technology,” Capoccia says. “More people are relying on that little device to run their transactions and shop. it’s really uncharted territory.”

those new challenges will call on fraud services pro-viders to develop new solutions. that’s one reason verifi is open to partnerships, such as the one it recently launched with demandware LinK that will quickly add new services and technologies to its clients’ options.

“this will help us leverage all of these solutions with-out having to run transactions through our gateway,” he says. “You can use our chargeback representation service without necessarily running transactions through us.” TT

Kim Fernandez is a contributing writer to transaction trends. Reach her at [email protected].

“Merchants will have to accept global-level transactions, and very little is understood by merchants, traditionally, in terms of the risks involved in accepting international trans-actions.” —CoryCapoccia

hardToBelieve_2.indd 1 1/24/2011 1:52:54 PM

GET THE REAL STORY.REAL REPS. REAL SUCCESS.

Start writing your success story today! Join the team with a proven track record.

Check out Total Merchant Services program details at www.upfrontandresiduals.com or call us toll-free at 1-888-84-TOTAL ext. 9411

Total Merchant Services (TMS) is a Member Service Provider for: HSBC Bank USA, National Association, Buffalo, NY.

Business Credo: Give a lot to get a little.Chris and Monica Collins

What makes you good sales agents? Having the same regard for each customer, no matter how

big or small. Why do merchants choose you? We always put ourselves in their shoes. We know what it’s

like to get the runaround and our service is always up-front. What’s your aspiration? To build long-term

financial security for our kids. And to enjoy some of the finer things today, by earning well above the

average. Chris, what’s your inspiration? I grew up relatively poor compared to many of my

friends in high school. I think seeing their much nicer homes and nice vacations,

etc. definitely made an impression. Monica, how do you maintain your

work/life balance? I leave work at the office and the computer

off at home, otherwise I get sucked into the email trap!

What were your residuals before the TMS Free Terminal

Placement Program? Average. Residuals now?

Way above average! What’s the best decision you

ever made? Joining Total Merchant Services as sales

partners. What’s your greatest accomplishment?

Our family. Your perfect weekend? Being with

the kids at the beach.

transaction trends march 2011

Documents

industry partners

industry newstrends

mobile payments

julie ritzer rossadaptability

jill miller

holli targan

official regulations

discover network