Payment Processing Blog

Accepting credit cards offers a number of benefits to merchants and consumers alike, and can provide a dramatic boost to your sales and cash flow. But that boost can be diluted somewhat if you don't pay attention to the various factors that influence the fees associated with accepting electronic payments.  There are many available options and partners to choose from.

Research into how payments are accepted and processed can literally pay dividends to those merchants wanting to reduce their payment-related expenses:

For a start charges vary wildly, with typical charges for card payments varying between a straight 1.5% and 3.4% plus 20p per transaction depending upon volume.  If taking payment by online direct debit collection is potentially an option, then charges can be anything from 4p to £1.00 per transaction, again depending upon the provider and transaction volume.

1. Don't fall 'special offers' on rates as the small-print could see you paying over-the-odds within a few short weeks.
2. Weigh up the pros and cons of the various providers and beware of 'hidden charges' as they are numerous in certain circumstances.
3. If using card payments, take advice on reducing charge-backs that could see you paying extra fees for cancelled/reversed transactions.

Following these steps and paying careful attention to payment methods, procedures and security requirements will pay considerable dividends in improving your productivity and profitability, and reducing payment related fees.

Merchants who accept direct debit and credit card payments understand the need to balance the convenience of electronic payment methods with the security and privacy of their customers’ personal and financial data. The Payment Card Industry Data Security Standard (often abbreviated as PCI) has been developed by the leading credit card companies to help merchants implement systems, procedures and equipment to safely process transactions while protecting customer data.  Many of the security standards and practices overlap with those in the Direct Debit world.

PCI outlines security requirements for merchants and service providers to store, process and exchange cardholder data securely. The standard was implemented to reduce credit card fraud and hacking, and to increase consumer confidence in e-commerce and the security of their personal data.

Besides the obvious security benefits, it’s important for merchants to learn about and follow PCI standards because failing to do so can subject them to substantial penalties and, potentially, the loss of their ability to accept credit and debit card payments.

Major Requirements

Customer Privacy – Full credit card numbers cannot be stored after processing, and cannot be displayed on customer sales receipts. Customer account and transaction data must be stored separately, and should only be accessible by authorized personnel. Card verification numbers cannot be stored once a transaction is completed, and magnetic stripe data must be purged from your records and any equipment or software used in transaction processing once a transaction is authorized.

PCI Compliance Validation – For most merchants a Self-Assessment Questionnaire must be completed annually, and companies that store cardholder information or have processing systems connected to the Internet must also have quarterly scans by an approved third party. Compliance with these requirements is mandatory.

Protect Your Website – Work with your IT provider to ensure your site and internal networks are protected by a working firewall, keep applications and security patches current, change default passwords on equipment and online applications, encrypt data sent over public networks, restrict access to authorized personnel, and assign distinct user IDs and passwords to anyone who needs to access data.

Following these guidelines, and working with your payment processor to monitor any changes to PCI requirements, will help your company protect customer data and provide a safe shopping environment for your customers.

From a direct debits perspective, the above also applies to personal and bank account information.

Article adapted from: The Basics of PCI Compliance

Eazy Collect Services Ltd. provides direct debit services and card payment solutions for businesses throughout the UK.

Fraudsters are becoming increasingly sophisticated in extracting credit card data from Computer Systems.  This has resulted in many serious fraud cases amounting to millions of pounds.

In an attempt to minimise fraud, the major card companies have colluded to create an industry standard known as the Payment Card Industry (PCI) Data Security Standard (DSS).  It protects the cardholder against theft and you against revenue loss.

If you wish to handle card payments online, compliance with this PCI DSS standard is mandatory.  Indeed if you are thinking of applying for your own Merchant ID status, you will need to demonstrate compliance by a thorough vetting procedure before you can even be considered.

Much like anti-virus companies who develop software to cure viruses, the PCI standard is constantly evolving to counteract and try to pre-empt fraudsters.

Larger companies often have the infrastructure and business processes to gain and maintain compliance.  However, it is often resource that is diverted from the main business role.  For small to medium sized businesses, it is likely to be cost prohibitive, too risky and inefficient to gain compliance.

To significantly reduce the risk of lost revenues and heavy fines it is wise to partner with a fully accredited Payment Service Provider.

Eazy Collect’s payment solutions comply fully with PCI DSS standards and can help get you to Accept Credit and Debit Cards within 10 Days without any lengthy accreditation process.

A Payment Service Provider will need to adhere to 12 key requirements that form the PCI DSS:

Build and Maintain a Secure IT Network

1. Use and keep an up-to-date firewall network that will protect cardholder data.  Includes relevant network configuration diagrams, rules, services and testing processes. The firewalls must deny traffic from un-trusted networks and restrict access between public networks and those that hold cardholder data.

2. Always create strong, unique passwords for all systems and develop specific security parameters.  Always change shipped defaults as hackers use these as the first port of call.


Protect Cardholder Data

3. Protect any stored cardholder data.  Keeping stored data to an absolute minimum necessary.  Data necessary for authentication should not be stored post authorisation e.g. CVC (3 digit security code) or the 4 digit PIN number.

4. Encrypt any transmission of cardholder data across public networks such as the internet to prevent it being gathered and read by fraudsters.  Use of strong cryptography and protocols to prevent hackers reading the data.

Maintain a Vulnerability Management Program

5. Use and keep an up-to-date anti-virus software running on the network.  Detect, remove and protect against current spyware, adware and viruses.

6. Develop and maintain secure systems and software applications.  Includes maintaining strong change control procedures, installing latest software updates and having documented back-out procedures.

Have Strong Access Control Measures

7. Restrict Access to cardholder data with the business on a need-to-know only basis.  Access only allowed where it is a necessary part of a persons role.

8. Assign unique log-ins and passwords for each person with computer access so that there is a full audit trail.  Passwords of at leat 7 characters and changed every 90 days.  Use of two-factor authentication for remote access to systems.

9. Restrict physical access to areas and computers where cardholder data is held.  Entry restrictions and monitoring to prevent unauthorised access.  Secure holding of all tapes, media and paperwork that contains cardholder data.

Regularly Test and Monitor IT Networks

10. Track and monitor all access to the computer network and cardholder data.  Ensure that if users pass through from one system to another, that the individual can still be identified and that the time and date is correctly logged.

11. Document, test and measure all security systems and processes.  Perform penetration tests, intrusion detection and scans regularly to identify and correct any security weaknesses.


Maintain an Information Security Policy

12. Maintain, communicate and adhere to a policy that addresses information security.  Screening of employees for suitability and ensuring that everyone knows the importance of security and their role in protecting the data.

For further advice, please visit www.eazycollect.co.uk