Archive for the ‘Uncategorized’ Category

« Older Entries

Electronic Payment Exchange Joins Direct Selling Association

Monday, January 31st, 2011

Electronic Payment Exchange (EPX), an end-to-end, domestic and international payment processor with its own proprietary payment gateway for credit, debit and ACH transactions, has joined the Direct Selling Association as a Supplier member.

EPX’s BuyerWall™-based tokenization technology virtually removes a merchant’s system from the scope of PCI compliance and significantly reduces merchant liability associated with the risk of processing, transmitting and storing sensitive cardholder data. In addition to decreased costs and increased security, EPX payment processing solutions provide direct selling companies with outsourced PCI compliance, increased processing speeds, centralized transaction reporting in real time, dedicated client services, increased transparency and a single point of contact for all aspects of the transaction.

EPX enables DSA merchants to simplify their payment processes and provides them with peace of mind in knowing that their transactions are secure.

Tags: , , , , , , , , , , , ,
Posted in EPX News, Uncategorized | No Comments »

EPX Tokenization Technology and Outsourcing Recognized as Secure, Cost-Saving Solution by HotelNewsNow.com

Wednesday, September 15th, 2010

In an article published today by HotelNewsNow.com, the credit card data tokenization technology from Electronic Payment Exchange (EPX) is recognized as a solution in which hotels can achieve payment processing security and PCI compliance while potentially saving money.

According to the article “Securing your credit card data costs almost nothing” by Joel Ross:

“Unless your company’s core competency is protecting data, you should not be trying to do it in house. It is too complicated and too expensive. Second, take the information and associated liability off your system. That shifts the risk to someone else and dramatically reduces your PCI audit requirements and PCI related costs.”

Ross’ statements make perfect sense. In fact, EPX has provided payment card security outsourcing for ten years and was the first payment processor to actually market, sell, and implement a solution that uses both tokenization and encryption for securing card data from the card swipe through the entire transaction lifecycle. By processing through EPX, individual merchants have reduced their initial PCI compliance burden by millions of dollars and continue to realize significant annual savings.

Ross also states that hotel merchants should:

“…move to a tokenized electronic payment processor who has the tokenization integrated into the platform and so does not charge for it. The EPX technology has been available for years. They have successfully tokenized millions of transactions representing billions of dollars.  This creates an environment that encrypts from the moment of swipe and tokenizes from the POS system forward. Simple, easy and cheap.”

PX provides a straight-through, fully integrated, secure payment processing platform and acts as a payment gateway and acquirer. EPX provides traditional POS and Internet-related, credit card processing, debit card processing, and ACH processing products and services to businesses, public utilities, merchants, retailers, e-tailers, merchant acquiring banks, Independent Sales Organizations (ISOs), and third-party processors in the United States, Canada, Europe, the Middle East, Latin America and the Caribbean.

Your business, whether large or small, can securely get a merchant account and accept credit cards, debit cards, and ACH checks using EPX solutions. Additionally, EPX hosted solutions — with embedded tokenization technology — enable your organization to facilitate PCI compliance by outsourcing your payment processing needs.

To read the full article, see http://www.hotelnewsnow.com/articles.aspx/4012/Securing%20your%20credit%20card%20data%20costs%20almost%20nothing

Tags: , , , , , , , , , , , , ,
Posted in Uncategorized | No Comments »

The Surprise Demise of PIN Debit: Debit Networks Have Been Quickly Diminishing The Cost Advantage of PIN vs. Signature Debit

Friday, May 14th, 2010

Most customers could care less whether they enter their 4-digit PIN or sign a sales draft when using their Visa or MasterCard logoed debit card (“check card”) to make a purchase.  The price they pay for goods or services is the same either way.

But the customer’s mode of choice has had a material impact on the cost of the transactions to merchants – at least until recently.  For those merchants that have “interchange-plus” agreements with their banks, allowing for pass-through debit network costs, PIN-debit transactions historically have cost far less than if the same transaction was processed as Signature-debit – i.e. with no PIN validation.  As recently as two years ago, the cost of PIN-debit was as little as half that of a Signature-debit transaction, depending upon the sale amount, merchant type and other factors.

The PIN advantage always was particularly pronounced for merchants selling higher-than-average priced goods and services, i.e. items priced above $40-$50 or so. That was because the debit networks charged more in transaction fees than, say, credit card transactions (about double), but at least they always “capped” the percentage assessed on the sale amount for most transactions. There was a maximum fee for the most common types of transactions no matter what the ticket size.  So, an average retail PIN-debit transaction often would cost no more than 60 or 70 cents all-in.

This was not so for a Signature-debit transaction, however.  Signature-debit was priced like credit card transactions, with fees more or less proportion to the price of the merchandise or services.

The gradual tectonic shift in debit card pricing strategy over the years turned into a tremor felt throughout the payments industry in 2009 when Discover’s PULSE network (the third largest) removed its fee cap on most types of PIN-debit transactions. The Pulse percentage fee now floats with the ticket size for standard transaction types. Since then, the other major EFT networks – Star (First Data Corp.), NYCE (Metavante), Accel/Exchange (FiServ) and CU-24 – have followed suit and have eliminated or moved-up the caps on the most common PIN-debit transactions.

The final and most influential change just occurred in April 2010.  As part of Visa’s semi-annual interchange modifications, Visa raised the Interlink interchange rate for PIN-debit pricing from 75 basis points and $.17 per transaction to 95 basis points and $0.20 for standard transactions.  Visa PIN and Signature pricing are now the same. Considering that Visa’s Interlink debit network has a 40%+ share of the debit card market and that it processes an estimated 73% share  of all Signature-debit transactions, the practical impact of Visa’s change to merchants is likely to be profound.

Rate strategies vary and the devil is in the comparative pricing details between networks and transaction or industry categories. So, there still can be found certain price advantages for PIN-debit for some industries and in some ticket-size scenarios.  However, there no longer is a noticeable safe haven price gap between PIN and Signature to be exploited. That is particularly counter-intuitive considering processing rates traditionally have had some relationship to transaction financial risk; PIN-validated transactions have been viewed as inherently less prone to repudiation, thus less risky to the account holders and banks involved than transactions with signature verification.

Many merchants are resigning themselves to the new reality in which Signature-debit reigns supreme. With little price advantage remaining between PIN and Signature, major industries like pay-at-the-pump fuel operations are seriously are debating whether to make the estimated $20,000 per location investment required to convert current PIN acceptance devices to a new generation of more secure PIN data devices as mandated by the PCI Security Standards Council Data Security Standards .  It even remains to be seen whether Cosco, Home Depot, Wal-Mart and other mega-merchants that, due to the price differential of Signature-debit, have not even offered Signature-debit as an option to POS debit customers, will soon do away with PIN-pads.

Major check card issuing banks have been actively promoting Signature-debit in promotional mailings to their cardholders. They have offered incentives on purchases that only apply when a Signature-debit transaction is made. JPMorganChase, according to news reports, has made the inaccurate inference to its cardholders that Signature-validated transactions are somehow more secure than PIN transactions.  Presumably they are promoting Signature over PIN debit because they make back more money, as card issuers, from the resulting Interchange fees being paid when a Signature-debit transaction is processed via the credit card networks, rather than when a PIN-debit transaction is processed by one of the Electronic Funds Networks (“EFT”) networks.  Now, that difference has been largely negated so there is little need to promote Signature-debit per se.

What is causing the major strategy shift by the EFT networks and Visa?   It is all part of the overarching competition between networks to woo financial institutions to issue cards processed by their networks. The networks make money on the transaction processing (“switch”) fees assessed to every transaction that occurs (from about 3¢ to as much as 8¢ for PIN-debit, depending on the network). The majority of the fees charged to the merchant – per transaction and per sales dollar – are paid to the card issuing bank. So what we have been seeing is essentially a bidding war among the networks to get their brand “bugs” printed on the back of the most cards issued.

Having said that, it is not at all obvious yet just how much of a shift in real fee income will come from all this market re-positioning and effective price parity between PIN and Signature-debit.  Debit cards have become more and more popular in recent years, especially during the recession.  Debit now surpasses credit as the preferred means of POS payment.  But debit cards, in whatever format, still are essentially plastic checks, with more or less the same consumer behavior patterns as cash.  As such, debit transactions might be more common than credit card transactions, but the dollar volume of debit is far from matching total credit card purchase volumes. Understandably, debit purchases are limited to bank account balances.  Higher value goods and services continue to be purchased on credit – although less credit is being extended during the recession.  According to a 2009 PULSE study, the average pin debit transaction in 2008 was about $42 for PIN-debit compared to $37 for Signature-debit. PULSE estimated more a quarter of all debit transactions in 2008 were for purchases of less than $10.  This compares to average retail credit card purchase amounts that are usually approximated to be about $70-$80.

Processing cost is the paramount issue to most merchants, yet there still are several soft reasons for reasons for a continue acceptance of PIN-debit transactions:

  • Customers often are more comfortable with the security of PIN validation.  After all, the card is accessing their bank account. Presumably, only the card owner knows and uses the PIN.
  • There are many consumers without credit cards, or who have reached their limits.  PIN and Signature-debit let the customer make a cash-less purchase with the funds they have in their bank account but happen not to have in their wallet.
  • For the merchant, funds process through the EFT networks almost immediately.  By contrast, a Signature-debit transaction, run through the credit card networks, might take 2-3 days to be debited from the consumer’s account.  This can mean less chance of insufficient funds and sometimes faster credit of sale proceeds to merchants.
  • PIN transactions typically can be completed faster in the check-out line and require less documentation and storage by the merchant.  A PIN-debit transaction has considerably less chance of being repudiated successfully.
  • A PIN-debit transaction allows for cash-back to the cardholder at the POS; this is not possible with a Signature-debit transaction.

Even so, much the appeal of a PIN transaction is proves to be somewhat illusory:
?    While true that PIN-authentication is relatively fool-proof security for a specific transaction, the card remains vulnerable as long there is a Visa or MasterCard logo on the card and the card can be alternatively tendered for a Signature-debit transaction.  Signatures or IDs, obviously, are not always verified by store clerks.

  • Both PIN-debit and Signature-debit cards benefit from consumer protection laws and practices, although the protections come from different laws.  If reported lost or stolen in a timely manner, the cards have a maximum of $50 liability to the account holder.
  • PIN-debit transactions usually do not accrue rewards credits from the issuing banks, whereas Signature-debit cards do.  This feature, alone, is accelerating the shift from PIN to Signature.

There is little merchants can do to shape the system to their benefit.  Merchants are under contractual obligations by their acquiring bank sponsors to accept all cards with a Visa or MasterCard logo. They are prohibited from attempting to “steer” a customer card transaction from one mode of acceptance to another. Card company rules further require merchants with PIN-processing capability to proactively provide customers the choice of making a PIN-debit or Signature-debit transaction.  At best, merchants can only make the threshold decision to either enable acceptance of PIN-debit by making a PIN-pad available at the POS or to accept only Signature-debit transactions at the POS.

Written By: Charles S. Crawford, Executive Vice President for Strategic Development
Electronic Payment Exchange

Tags: , , , , , , , , , , , , ,
Posted in Uncategorized | No Comments »

Evolving Pragmatic Approaches to Payments Security – Part 2 of 2

Wednesday, April 28th, 2010

In this multi-part article, EPX Chief Security Office Matt Ornce comments on the payments security happenings of 2009 and looks forward to 2010.

Evolving Pragmatic Approaches to Payments Security – Part 2 of 2

What’s In Store for 2010 and Beyond

The key payment security events discussed above offer some direction for trends that are likely to continue into 2010 and indicate new areas that will gain prominence.

The well-publicized and continuous stream of data breaches that came to light in 2009 has forced merchants, solution providers, standards organizations, and the card brands themselves to begin taking a more pragmatic approach to payment security. Beyond the actual costs associated with fines, lawsuits, card replacements, and security upgrades, merchants are learning that damaged reputations, negative publicity, and loss of business also have deep and sometimes unsurvivable bottom-line impacts.

A growing recognition of these potential data breach costs has led merchants to challenge the status quo of slowly developing regulations and conventional technologies that together have not been enough to stem the data breach tide. As a result, increasing numbers of merchants are seeking new solutions that materially protect their data.

Increased Focus on Smaller Merchant Compliance

While the number of credit card numbers breached per month has generally been trending down in 2009, there’s no reason to suggest that the total number of breaches will subside any time soon. As larger entities have shored up their defenses, increasingly smaller entities are being directly targeted.

PCI compliance is required for all entities that store, process or transmit cardholder data, and regulatory and risk awareness continues to grow and roll downhill to smaller merchants, who, according to Visa statistics, make up 99% of the merchant base and account for roughly one-third of all transactions. Current PCI compliance deadlines, fines, and threats of loss of processing privileges focus on Level 1 and 2 merchants, but it’s natural to assume that the smaller Level 3 and 4 merchants are next. Several acquirers have already begun to fine their noncompliant Level 3 and 4 merchants in an effort to push them into compliance.

Increased Legislative Threats

Is 2010 the year for state level breach notification laws to be aggregated into federal law? Probably not, but it’s coming, and might actually be a welcome piece of legislation for those organizations who unfortunately need to struggle with the 46 different state laws. Such legislation could also help streamline the current time-sensitive notification process.

Beyond the financial fraud perpetrated for personal gain, the use of breached cardholder data as a funding source for terrorist activities has been clearly established by the Criminal Division of the Department of Justice, the FBI, the U.S. Secret Service and others, providing a clear impetus for federal regulation of cardholder data security.

Continued Challenges to PCI DSS

The PCI DSS will continue to see its share of challenges. As threats continue to evolve and new technologies surpass the standard’s effectiveness, the PCI DSS’s ability to keep pace will be questioned. Certainly, it’s a delicate balance between deploying new standards faster than the market can bear, and reacting slower than the threats evolve.

New technologies and new threats will always be ahead of the pace of regulation. The PCI Council’s investigation into technologies that help merchants achieve compliance and protect the payment system is certainly encouraging, but the codified results of the PWC study may not be seen for another 12 to 24 months. Meanwhile, the market will inevitably continue to evolve, maturing existing technologies and developing new. The council needs to find the means to distribute guidance faster, even if it’s through the use of best practice bulletins, like Visa’s, that can be issued quickly and eventually adopted into the DSS as requirements.

Until standards for the new technologies are sanctioned, there will be a greater reliance on merchants and QSAs to understand the differences in implementations and their implications on cardholder data security.

Mainstream Acceptance of New Technologies Currently Outside of PCI

With increased security risks and pressure to comply with PCI, merchants will flock to solutions that remove cardholder data from their environments in even greater numbers in 2010. Even though many of the technologies have existed for years, they were considered fringe players until only recently. Compounding the issue, especially with tokenization, has been a flood of new vendors to the space, which has created an impression that the entire field is populated with products that are only months old.

While planned product announcements by larger industry players like First Data, RSA, Hypercom and others may help legitimize these technologies, announcements won’t help merchants against current threats or regulation. Merchants will continue to seek the vendors already in the space and will now be able to gauge them by the guidance provided in the PWC Technology Review and Visa DFE-BP. The Visa DFE-BP especially helps merchants make more informed decisions about tokenization and E2E. Early adopters have already seen the benefits of each of the aforementioned technologies in reducing PCI DSS scope and improving cardholder data security.

Combining Technologies

The preliminary PWC findings suggest that E2E and tokenization can each reduce PCI scope when they are implemented independently of each other, and Visa’s best practices illustrate that they can be combined to even greater effect. As individual technologies become more mainstream, merchants will recognize even greater cardholder data protection from the hybrid solutions.

End-to-end encryption and tokenization are complementary technologies that provide protection for a different part of the transaction, as hinted at in the Visa DFE-BP. E2E, of course, protects the request portion of the POS transaction by encrypting track data from the swipe to the processor. Tokens provided in the response portion of the transaction provide protection “for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.” Used together, merchants dramatically reduce their risk without necessarily impacting their customers’ checkout experiences.

In ecommerce, outsourcing the page that takes cardholder data, in combination with using tokens, is another way technologies can be combined for even greater security. Merchants will reduce risk and PCI scope by eliminating card numbers in their processing systems with cardholder data being taken directly from the consumer and given directly to the PCI-compliant outsourced provider. Depending on the solution, they may still be able to maintain full control over their customer’s checkout experience without taking cardholder data.

Clarification of Technologies

The Visa DFE-BP provides an excellent starting point for best practices regarding E2E and tokenization implementations, but the PCI Council does not currently plan on providing definitive guidance on the topic until late 2010. To assist the PCI Council in establishing guidelines, I have submitted the following points as minimum goals for E2E and tokenization deployments:

  • New methodologies must be vetted for security and practicality, which can take years to certify. However, the reapplication of existing standards, such as TDES and DUKPT, is a legitimate strategy to reduce or eliminate this delay.
  • Encryption must start at the swipe reader. Anything beyond that point opens an area of vulnerability for the merchant.
  • The endpoint, from the merchant’s perspective, must be at least the next upstream provider. The farther upstream the data can stay encrypted, the better it is for the security of the entire payment industry. At the very least, the data should be kept out of plaintext at the merchant’s location.
  • Merchants cannot have access to E2E encryption keys. Granting them access to the keys would defeat the purpose and value of encryption within the merchant environment and would throw PCI key management requirements back to the merchant.
  • Tokens should have no relationship to the card numbers they protect so that they cannot be reverse engineered. (Format-preserving encryption is in this category, and should therefore be avoided.)
  • Merchants should allow providers to generate tokens. If tokens are generated in-house, then corresponding card data must also be kept in-house, which defeats much of the merchant benefit of tokenization. In such a scenario, merchants are still responsible for data protection and liable for data loss. They would see no regulatory relief or PCI scope reduction.

Conclusion

While the influential payment security events of 2009 have caused some instability and uncertainty in the payments industry, we need to view the events and the lessons learned from them as opportunities for solution providers to further define and shape the industry in 2010.

Discussions of best practices and PCI DSS revisions are constructive, but it’s not enough to merely talk about change. The marketplace needs solutions today. It is incumbent upon us to offer our support and guidance to the PCI Council and card organizations with hopes that we can bring about positive change in the near term.

Likewise, in 2010 we will see the true innovators in payment security continue to deliver powerful and proven solutions to the marketplace, while the announcements of planned products get lost in the shuffle. As merchants continue to gain knowledge about data breach risks and PCI compliance, they will become savvy in recognizing technologies that are nothing more than promises or vaporware, and they will move toward accepting solutions from providers with proven track records.

MATT ORNCE is the CSO of Electronic Payment Exchange, and has more than 20 years experience in IT, payments and security.

Tags: , , , , , , , , , , , , ,
Posted in Uncategorized | No Comments »

Evolving Pragmatic Approaches to Payments Security – Part 1 of 2

Wednesday, April 21st, 2010

In this multi-part article, EPX Chief Security Office Matt Ornce comments on the payments security happenings of 2009 and looks forward to 2010.

Evolving Pragmatic Approaches to Payments Security – Part 1 of 2

Reviewing the trends in 2009 to speculate on the payments landscape in 2010

Several interesting events have shaken the payment card industry from the status quo in 2009, and reactions to these events are influencing the industry’s future. We have witnessed changing views, maturation of guidelines, and security advances related to massive data breaches. Additionally, government legislation, end-to-end encryption, PCI standards, and best practices have been introduced, and we are beginning to see their effects.

Influential payment security events of 2009 – and some forward-looking views for 2010 – are discussed below.

Influential 2009 Payment Security Events

Data Breaches

Credit card and other payment-related data breaches have become widespread in the past decade, and recent technological advances by criminal hackers, identity thieves and terrorist organizations are putting the world–merchants, payment processors, card brands, governments, and consumers–on notice.

One could argue that data breach notification laws have improved incident reporting, artificially creating more news today from smaller breaches that once went unreported. No one can dispute, however, that in the same time hackers have become significantly better organized and their attacks continue to quickly evolve and have become much more sophisticated and effective. In 2009, data breaches continued to occur: from the largest breach ever, announced in January, to the victims whose data is available for sale today, but are still unaware they’ve even been breached.

PCI DSS Effectiveness Questioned

Some concern has been raised that the PCI Data Security Standard (DSS) has not been effective enough in reducing the number and severity of data breaches, especially when entities that appeared to be compliant were breached.

In March, a House subcommittee met to review the state of affairs. Dave Hogan, National Retail Federation CIO and vocal PCI DSS detractor, gave voice to merchant frustration by characterizing PCI as “an elaborate patch”. He further noted that “the ultimate solution is to stop requiring merchants to store card data in the first place.”

At the October 2009 PCI Participating Organization meeting, even Bob Russo, PCI Security Standards Council General Manager, admitted that, “Compliance doesn’t equal security.”

End-to-End Encryption

End-to-end encryption (E2E) was brought to the forefront in mid-2009 as one solution with the potential to significantly help merchants protect their data and even reduce their PCI compliance burdens. Unfortunately, with an overly-ambitious definition of “from the merchant to the issuer,” merchants are no better off today than before the initial hype.

Defining such a broad industry goal is admirable, but if PCI compliance levels are any indication, the effort will take years to develop the standards and re-tool the entire industry to pass encrypted card data from end to end. In the meantime, merchants still need protection against continuously evolving threats, and need solutions that don’t make them individually responsible for saving the entire payment industry.

PCI / PricewaterhouseCoopers Technology Review

During August 2009, the PCI Council directed PricewaterhouseCoopers (PWC) to perform market research on emerging technologies that can improve merchant compliance rates and reduce risks and costs associated with PCI compliance. PWC focused on E2E and tokenization, tacitly validating each approach by recognizing that “These solutions are designed to address some of the inherent risks in the current payment card processes and infrastructure.”

The PCI Council is currently reviewing the PWC data and is likely to incorporate guidance into future PCI DSS revisions, but probably not until late in 2010.

Visa Data Field Encryption Best Practice (DFE-BP)

In October, Visa quickly followed up PWC’s technology review with several key best practices for E2E, effectively filling the gap before the scheduled PCI DSS updates. Most notably, Visa defined in their best practices document the initial “ends” as “from the swipe to the acquirer processor,” which minimizes their own remediation requirements by reducing the proposed industry-wide E2E goals, but increases the immediacy in which merchants can benefit.

The document also recommends using, “an alternate account or transaction identifier [aka token] for business processes that requires the primary account number to be utilized after authorization, such as processing of recurring payments, customer loyalty programs or fraud management.” This guidance further validates E2E and tokenization technology implementations, especially those aligned with the best practices.

Tags: , , , , , , , , , , ,
Posted in Uncategorized | No Comments »

EIRF: The Four-Letter Word of Interchange

Friday, April 2nd, 2010

A common interchange surcharge that merchants can avoid.

Whether your transactions are swiped or keyed via the Internet or phone, chances are you’ve often paid more than you should by triggering an interchange re-classification of your transactions to what is called an “EIRF.”

EIRF is ironic Visa USA-speak for a category of interchange called the Electronic Interchange Reimbursement Fee. Ironic because it sounds like a reimbursement to you, but is the opposite.  EIRF is a transaction interchange rate downgrade from the lowest qualified interchange rate to a far more expensive category.

An EIRF transaction costs at least 0.66% (66 basis points) more than a qualified swipe transaction — and is at least 0.50% (50 basis points) greater than the best interchange price for a card-not-present transaction.  Visa’s interchange rate for qualified card-present transactions currently is 1.54% + 10 cents per transaction; 1.80% + 10 cents per transaction for card not present transactions (not including dues and assessments).   An EIRF’d transaction is 2.30% +10 cents.

So exactly how can an innocent merchant trigger such a hefty downgrade?  Usually, it is a matter of a merchant not being watchful enough of the fine points of transaction submission and batching.

The Visa “Custom Payment Systems[1]/Retail Credit 1” (“CPS/Retail 1”) (i.e. “qualified”) interchange rate for Visa applies to transactions* for which:

  • The cardholder is physically present at the point of sale and the card is therefore available for validation
  • Magnetic stripe data is transmitted in its entirety
  • The cardholder’s signature is obtained on the sales draft
  • The transaction is deposited (captured) and settled within two days of the authorization
  • The amount of the authorization exactly matches the settled amount (with the exception of restaurants and other merchants that commonly see gratuities added to the authorized amount)
  • A single valid electronic authorization is obtained by the merchant
  • The presented card is Visa traditional card (i.e. not rewards, commercial, foreign-issued, etc.)

*Visa has unique criteria for different merchant categories, such as restaurants, hotels, travel merchants, supermarkets and others, as well as for different transaction volumes or other circumstances.

Qualified card-not-present transactions must meet the following criteria:

  • All requirements of “CPS/Retail 1,” except that:
    • the magnetic stripe data is not required to be read
    • no signature on a sales draft is required
    • the card number and expiration date are captured through some form of key entry
    • An address verification is attempted using the Visa Address Verification Service (AVS) and a positive or partial match is obtained on the ZIP code or full address

Most transactions not involving special Visa card types successfully meet these criteria and thus benefit from the lowest rate category for either swipe or card-absent circumstances.  However, if any one of these requirements is not met, the transaction is subject to a downgrade to EIRF or higher rates[2].

EIRF applies to card present transactions which do not meet the specific CPS requirements:

  • Magnetic swipe cannot be read, but signature obtained
  • The authorization is obtained by voice, manually or by “forced” authorization
  • The transaction date is more than two days later than the authorization date and within thee days total
  • Transaction data is not in an acceptable format
  • The authorization and settlement amounts do not match exactly for the merchant’s category
  • No AVS obtained (for card not present transactions)

*There are other merchant-specific conditions that apply if other card types are submitted or the merchant classifications are different.

What can go wrong?   A common reason for downgrade to EIRF is failure to settle the transaction within the allowed time-frame.  Fortunately, with EPX’s payment processing platform initially set-up correctly, this should never happen.  Transaction settlement automatically occurs at least once daily, before the submission deadline.  Although it may seem obvious and easy, this automatic batching is not always the case with many traditional retailers using terminals or card-not-present merchants using less sophisticated gateways or virtual terminals.  Some merchants may choose to manually batch transactions through their POS terminals, or do so manually using “virtual terminal” software systems. Sometimes employees forget, or cause errors in the process…and pay the EIRF piper as a result.

Another fairly common incidence is a mis-match between the authorization price and the settlement amount.  In the case of businesses with gratuities added to the bill, like restaurants, bars, limousines or others, Visa has given a certain amount of flexibility that is not available to all other merchants.   These merchants are allowed to settle at an amount that is up to 20% greater than the authorization.  What if the customer is more generous and the gratuity is 25%?  The employee is happy, but the establishment gets penalized 76 basis points with a jump to EIRF.

There are many businesses that, by their nature, have inherent lag times between the authorization that opens the transaction and the final settlement.  Most obvious in this category are businesses like hotels and rental cars, but it is the case for many retailers who rent or delay delivery of goods and services.   The problem comes when equipment is not returned on time, or it takes longer than expected to fulfill the order.  What should occur is a new authorization at the time of final settlement of the transaction.   What sometimes actually occurs is the use of the original auth and therefore a settlement beyond the window allowed for a qualified transaction.

Merchants might accidentally cause a transaction to downgrade to EIRF if the customer has a last-minute change of heart and drops an item from the purchase.  Or what if the delivery price changes? The original auth amount might then become less than the settled amount, and the transaction will fall to EIRF.  This situation is avoided by training employees to get a new authorization for the adjusted purchase.

The most common mistake for online merchants is failure to properly obtain a match for the customer’s address, using the AVS verification.  If the practice is a simple mistake of an untrained employee from time to time, the EIRF exceptions may not be noticed.  But if the problem is a system set-up error, then scores of transaction might be submitted without proper AVS verification.  The downgrade fees can become substantial….and worse because they were avoidable.   EPX, of course, has a default setting for all card not present merchants that automatically prompts for address information from the cardholder as the transaction is key entered.

For merchants using “interchange plus” pricing, each transaction should be shown on the bank or processor’s processing statements, including the details of all downgraded transactions.  Other merchants that have agreed to use a “tiered discount rate” pricing format still will feel the impact of transactions downgraded to EIRF, but the fee is paid by the bank or ISO and is rarely revealed in detail to the merchant.  With tiered discount rates, transactions are usually are grouped in three “buckets” – qualified, mid-qualified or non-qualified transactions – and each bucket has an overall price that is higher than some of interchange rates within the buckets, like EIRF.  With EPX’s webSuite reporting system, detailed transaction activity and classification information is always available online – 24x7x365, therefore making it easy for merchants to identify errant transactions and trends and correct the operational issues that may be the cause of substantially higher fees.

Note:  Visa Debit and other Visa products have somewhat different rules pertaining to EIRF downgrades.  MasterCard International has no single category comparable to EIRF, but has dozens more detailed interchange categories than Visa.

Written by:

Charles S. Crawford

Executive Vice President, Strategic Development
Electronic Payment Exchange

[1] The term “Custom Payment Service” refers to a Visa payment service that accommodates specific payment environments with an identifier that remains with the Transaction throughout its life cycle.

[2] The downgrade could be higher than EIRF if, for instance, the card presented is not a traditional Visa card, such would be the case if the customer used a high-end rewards card, business card, foreign-issued card, etc.

Posted in Uncategorized | No Comments »

« Older Entries