How VARs (and ISVs) Can Navigate the World of Payment Processing
By Julie Ritzer Ross, Contributing Editor, VSR
In recent years, savvy, forward-thinking VARs have begun to venture out of their comfort zone by tapping a variety of vertical niches. Payment processing tops the list, but resellers and ISVs cannot profit fully from playing the field without first getting the lay of the land.
All payment processing occurs through an entity that processes credit card transactions and settles funds to merchants. The processor is connected to a merchant's site on behalf of an acquiring bank via a payment gateway. Payment processing technology can be:
· Stand-alone, wherein consumers' payment information is captured via peripheral payment terminals and later moves to the POS application. Stand-alone systems work well for small retailers, particularly those that still utilize cash drawers. The downside: reconciling transactions between the POS and payment processing systems is a two-step process, exposing merchants to the risk of human error as well as fraud.
· Integrated with the POS system, either through a server at headquarters (for chains) or into a store-level POS application. Advocates of integrated payment processing solutions say they minimize the potential for human error by eliminating the need to re-enter payment information into the POS system. They also peg the price of integrated payment software at about 50 percent lower than the cost of stand-alone terminals.
As the payment processing space becomes increasingly competitive, VARs can also give themselves a competitive edge by going beyond the basics, implementing or working with processor partners to implement such options as:
· Contactless/mobile payment technology. In addition to faster transaction processing and increased transaction size (30 percent greater than cash, according to the Smart Card Alliance), contactless and mobile payment technology yields merchants a strong shot at differentiation from their competitors. In addition to key fobs and tags, they can offer closed-loop payment products on new form factors, like contactless sticker-emblazoned smart cards and mobile phones. These form factors shore up customer loyalty, increase brand awareness, and reduce counterfeit card fraud. According to some sources, loyalty programs do not work for Tier 3 and Tier 4 merchants unless offers are delivered at the point of sale in response to the swipe of a contactless device.
· PIN-steering applications. These applications prompt consumers for a PIN when a swipe indicates that a card is a debit card. According to Henry Helgeson, co-CEO of Merchant Warehouse, such applications are beneficial in that they enable merchants to satisfy louder cries for debit payment options in general and PIN debit in particular. Even better, they present PIN debit as a default transaction mode, increasing merchants' potential to convert consumers who still favor signature debit to PIN-based payment, in turn reducing interchange fees.
· Online PIN debit applications. Online PIN debit acceptance technology is gaining ground because of the additional layer of security it affords to cyber-shoppers. Consumers enter their card number and associated information on a merchant's checkout page, then key their PIN into an online key pad with integrated PIN encryption capability.
· Protection for WLAN systems. Wireless local area networks (WLANs) afford retailers enhanced flexibility when it comes to configuring their POS systems and facilitating communication among multiple stores. However, cyber-criminals have become experts at hacking into WLANs networks and stealing credit card data. To decrease the risk of violating the Payment Card Industry Data Security Standard (PCI DSS), a set of requirements that merchants, acquirers and processors must follow to safeguard cardholder account numbers and other sensitive information, VARs should counsel retailers to install firewalls that separate their POS systems from their WLANs. Appropriate network segmentation, wherein payment processing devices are separated from all other systems -- e.g., email and Web browsers, should be implemented. The same goes for Wi-Fi protected access (WPA) encryption wherever it is supported.
· End-to-end encryption (E2EE). In end-to-end encryption, cardholder data and related information is encrypted at the first card swipe; remains encrypted while in transit over a gateway and until it reaches the payment processor.
No matter what approach they take to payment processing technology, VARs delving into the payment processing arena need also be cognizant of new regulations centering on PCI-DSS. As of July 1, 2010, merchants must comply with three additional rules regarding:
· Payment processing solutions. All payment processing applications that store, process or transmit cardholder information, must be compliant with Visa's Payment Application Best Practices (PABP) or Payment Application Data Security Standard (PA-DSS). Applications in this category include software that resides on a POS system and does not encompass standalone terminals used to swipe credit and debit cards. PA-DSS compliant software supports merchant PCI DSS compliance. PABP is the older version of PA-DSS, having nearly the same requirements for compliance. Visa maintains a list of validated payment applications at http://visa.com/cisp; the PCI Security Standards Council maintains its own roster of software at https://www.pcisecuritystandards.org.
· PIN entry devices. Under the Pin Entry Device (PED) standard, merchants that accept PIN-based debit must utilize PIN pads that meet the Triple Data Encryption Standard (TDES) and, as such, incorporate TDES (aka 3DES) encryption keys. Acknowledged as nearly hacker-proof, TDES encrypts cardholder information several times in the keypad. Adherence to the PED standard is validated by certified PED laboratories.
Additionally, after July 1, merchants cannot use any PIN entry device that has not been certified under the PCI Pin Transaction Security (PCI PTS) program or the older Visa PED program. Sources say a majority of non-qualifying devices were manufactured prior to 2004.
Visa has publicly stated that it will not fine acquirers for non-compliance with these mandates until July 1, 2012. However, acquirers are permitted to impose non-compliance fines on merchants any time after July 1, 2010. Should an unapproved device cause a data breach once the latter date has passed, both the merchant employing and its acquirer assume liability for the incident.
Moreover, meeting the July 1 deadline is not sufficient to be considered PCI compliant and safe from compromise. VARs positioning themselves as trusted advisers in the payment processing field should ensure that merchants achieve true PCI compliance by assisting them in, or teaming up with a security expert that can assist them with:
· Completing the PCI Self-Assessment Questionnaire. Available at https://www.pcisecuritystandards.org, this compliance-validation tool can be difficult to navigate without expert assistance.
· Systems assessment. Quarterly scans of payment processing systems are recommended to uncover potential areas of vulnerability.
Picking a Processor
Yet before they even begin to think about technology and PCI compliance, it behooves resellers to follow due diligence in selecting and maintaining relationships with a payment processor partner or partners. Issues at hand encompass:
· One partner-or more? Some experts advocate cultivating relationships with several payment processing entities and offering payment processing solutions that are certified with a wide range of such companies. For one thing, many retailers maintain existing merchant account relationships with specific processors and may not be willing to sever such partnerships simply for the sake of signing on with a new VAR. For another, individual processors have different formats for transmitting card information and maintain specifications regarding the way in which data should be communicated to its particular network. Solutions that are certified to work with solutions from a variety of processors eliminate problems with communication and renders it easier to buck the competition.
But working with one processor also has its advantages, according to Bryan Daughtry, vice president, sales and marketing of Up Solution, powered by United Merchant Services. Such an approach puts VARs in a position to leverage a higher share of revenues from a chosen processor, as well as to tap into an enhanced payment processing platform, based on the fact that that processor views it as more committed to its business.
· Besides revenue-sharing, what else does the processor offer to VARs? For instance, is there assistance for VARs in building a portfolio of technology and services? Is there an Internet portal that allows daily access to information on what is happening with accounts? These types of elements are essential to generating profits.
· What about merchant services? As an example, merchants should have online access to information regarding deposits, settlements, chargebacks and the like.
In addition to Henry Helgeson of Merchant Warehouse and Bryan Daughtry of Up Solution, VSR would like to thank the following individuals for contributing their expertise to this article: Tom Reichert, vice president, business development and Lucas Zaichkowsky, senior compliance technologist, Mercury Payment Systems; Mohammad Khan, president and founder, ViVOtech; Steve Bagley, vice president, business development, Cynergy Data; Dr. Tim Cranny, CEO and Leslie Norris, executive vice president, Panoptic Security; Tim Murray, vice president, product management and marketing, Payment Processing Inc.; Tracy Metzger, chief technology officer, T-Gate Payments; Terry Zeigler, president and CEO, Datacap Systems; and Stuart Taylor, vice president, global solutions and marketing, Hypercom.