Transaction Trends by Content Communicators, LLC

Transaction trends | November 2010

The Official Publication of the Electronic Transactions Association

Master ethical distinctions with a personal code of conduct

Ethics for the Real World ALSO INSIDE: Online PIN Debit Arrives Startups Share Lessons Learned Card-Free Loyalties

From Zero To TransFirst

Do you have a need for speed?

With 15 years of experience in secure transaction processing technologies and services, TransFirst® is now transforming the ISO/ISA arena. We’re more than a processor, we’re a valuable business partner, blending uncommon support to help streamline the merchant boarding process, as well as proprietary cutting-edge products. Whether it’s working capital, commission enhancements, or residual advance programs, TransFirst is here to keep your business on the fast track. • Proprietary leading-edge tools: TransLead, which delivers pre-qualified leads, and TransGuard®, alerting agents when their merchants might be at risk of leaving • Available investment capital • Aggressive revenue share program • Timely and accurate monthly residuals • 96%+ merchant application approval rate • State-of-the-art training

Ta k e Tr a n s F i r s t ® f o r a t e s t d r i v e t o d a y ! Contact us at 866.969.3350, salesrecruiting@TransFirst.com, or visit www.TransFirstSales.com.

Trust. Innovation. Collaboration. – TransFirst.

Looking for a real QuickBooks™ Solution?

QuickBooks™

SyncPay

From within QuickBooks™, our SyncPay plug-in allows you to:

- Process Keyed & Swipe Transactions - On-Demand Gateway Syncronization - Process Batch Transactions - Create & Pay Invoices - Create Sale Receipts - View Batch Reports

NETWORK MERCHANTS INC. Building Partnerships - One Gateway at a Time.

Sales@nmi.com www.nmi.com 800-617-4850

Transaction trends The Official Publication of the Electronic Transactions Association

Vol. 15 | No. 11

cov e r s to ry

12 Ethics for the Real World

By learning a new way of thinking, payments professionals can easily take an ethical approach to everyday business decisions. Harvard Business Review writers explain how.

F EATU RES

18 PINning Hopes on e-Commerce Debit

By Richard H. Gamble The long-awaited softwareonly PIN debit option is finally here. Find out what it means for ISOs, acquirers, and processors.

SP EC IAL S ERIE S

Startup Stories: A Year in the Life…

By Julie Ritzer Ross Our three startup ISOs share what they’ve learned throughout the past year.

d epa rtm en tS

5 6 8

President’s Message Insights from ETA’s elected leader

Industry News

Trends, strategies, and news in the payments business

Data Security

27 28

Ad Index

Vulnerability assessments demystified

Industry Insider Communication is key to 3Delta Systems’ work with B2B and B2G clients

ISO Corner

Loyalty programs without the card

Cover image by Phil Banko/Getty Images

Transaction trends | November 2010 3

AmeriMerchant and CanaFunding Two Of North America’s Leading Merchant Cash Advance Providers Join Forces.

Founded in 2002, is one of the nation’s largest providers of merchant cash advances.

Founded in 2007, is one of the first merchant cash advance companies to enter Canada.

Direct funding source

High approval rate

Lower priced deals for better credit merchants (without having to sell a loan product)

New business program (in business less than 12 months)

Aggressive commissions

New business program (in business less than 12 months)

Knowledgeable staff familiar with Canadian markets

No processor change required Seasoned staff with merchant cash advance experience Approvals as fast as 24 hours

No processor change required Approvals as fast as 24 hours Funding against all card types - including Visa, MasterCard, American Express, Interac/Debit & Discover

Funding against all card types – including Visa, MasterCard, American Express & Discover

www.amerimerchant.com

www.canafunding.com

Please contact David Goldberg, Director of Business Development, at dgoldberg@amerimerchant.com or 800-267-3790 x113 for more information

Your U.S. and Canadian one stop shop for merchant cash advances.

Electronic Transactions Association 1101 16th Street NW, Suite 402 Washington, DC 20036 202/828.2635 www.electran.org

President’s Message

ETA Chief Executive Officer Carla Balakgie

A Higher Profile for ETA

ETA Director, Communications & PR Thomas Goldsmith Transaction Trends Publishing office: Stratton Publishing & Marketing Inc. 5285 Shawnee Road, Suite 510 Alexandria, VA 22312 703/914.9200 Publisher Debra Stratton Features Editor Angela Hickman Brady Managing Editor Josephine Rossi Editorial/Production Assistant Teresa Tobat Art Director Janelle Welch Contributing Writers Brad Caldwell, Richard H. Gamble, Bryan Ochalla, Julie Ritzer Ross Advertising Sales Steve Schwanz or Fox Associates (800/440-0232; adinfo.eta@foxrep.com) Fox Associates Offices Chicago 312/644.3888 Atlanta 800/699.5475 Los Angeles 213/228.1250

New York 212/725.2106 Detroit 248/626.0511 Phoenix 480/538.5021

Editorial Policy: The Electronic Transactions Association, founded in 1990, is a not-for-profit organization representing entities who provide transaction services between merchants and settlement banks and others involved in the electronic transactions industry. Our purpose is to provide leadership in the industry through education, advocacy, and the exchange of information. The magazine acts as a moderator without approving, disapproving, or guaranteeing the validity or accuracy of any data, claim, or opinion appearing under a byline or obtained or quoted from an acknowledged source. The opinions expressed do not necessarily reflect the official view of the Electronic Transactions Association. Also, appearance of advertisements and new product or service information does not constitute an endorsement of products or services featured by the Association. This publication is designed to provide accurate and authoritative information in regard to the subject matter covered. It is provided and disseminated with the understanding that the publisher is not engaged in rendering legal or other professional services. If legal advice and other expert assistance are required, the services of a competent professional should be sought. Transaction Trends (ISSN 1939-1595) is the official publication, published monthly, of the Electronic Transactions Association, 1101 16th St. N.W., Suite 402, Washington, DC 20036; 800/695-5509 or 202/828-2635; 202/828-2639 fax. Postage paid at New Richmond, Wisconsin and additional mailing offices. POSTMASTER: Send address changes to the address noted above. Copyright © 2010 The Electronic Transactions Association. All Rights Reserved, including World Rights and Electronic Rights. No part of this publication may be reproduced without permission from the publisher, nor may any part of this publication be reproduced, stored in a retrieval system, or copied by mechanical photocopying, recording, or other means, now or hereafter invented, without permission of the publisher. Nonmembers, government agencies, $150 per year; single copy, $20. Subscriptions are available for 12-month periods only, at the quoted rates.

here is a dawning realization that the ETA is critical to the acquiring industry. Members and non-members alike have approached me at ETA events and at regional meetings expressing their gratitude to the ETA for keeping on top of recent developments. If it was difficult in the past to know what the regulatory landscape for the payments industry was, it’s even more confusing now. But there is this constant undertone to what people are saying: We are grateful to know that ETA has our backs. The effectiveness of the ETA is a function of how well known the organization is. Over the past 18 months, we have devoted time and resources to increasing visibility—both within the payments industry and outside it. ETA will be stepping up these efforts next year. A higher internal and external ETA profile is important for many reasons. First is membership. A strong membership base translates into better services and more effective advocacy. You know the drill: New companies arrive on the scene frequently, just as others depart, are purchased, or merge. In that kind of environment, it’s important that every potential member be aware of our association and the value of ETA membership. In 2010, more than 130 new companies joined ETA. Further, a growing membership base makes ETA’s advocacy efforts more effective in a multitude of ways. More members mean more grassroots activity. We have invested in the resources to engage members and their employees to assist in our advocacy efforts. But greater member numbers also mean those to whom the ETA is talking—regulators and legislators—are more likely to listen to what we have to say. Increased visibility also impacts ETA’s credibility. ETA can attempt to influence outcomes, but only if those who write the laws and regulations are informed about ETA and its members. They need to know the size and economic importance of the payments industry we represent. The ETA’s industry survey, currently in development, will provide statistics to assist with that. And, going forward, you’ll be seeing more activity aimed at educating public officials about the payments industry. The effort we have undertaken on all these fronts is paying dividends in the form of more publicity for the association, increased participation and influence by ETA in legislative and regulatory arenas, and membership growth. And as we continue to raise ETA’s profile, there is a role for every ETA member to play. If you value your ETA membership and the benefits it brings, make sure that your partners, customers, and peers know it. Your endorsement of ETA is the best testimonial we can have. And keep an eye out for a more visible ETA in the coming year. Warm regards, Holli Targan Holli Targan is president of ETA and a partner at Jaffe, Raitt, Heuer & Weiss, P.C.

Transaction trends | November 2010 5

INDuSTRYnews MasterCard, Visa Settle with DOJ, American Express Challenges Lawsuit On October 4, Visa and MasterCard reached a settlement agreement with the Department of Justice (DOJ) and the attorneys general of seven states to resolve a two-year antitrust investigation into each company’s merchant acceptance rules. A s part of the agreement, merchants may offer a discount for cash and all forms of payment to steer customers toward a particular form of payment, including to a specific network brand or to any card product. The new rules will expand U.S. merchants’ ability to discount their preferred form of payment, though they will not be able to pick and choose among issuing banks. This ruling goes beyond the Dodd-Frank provision and allows retailers to mitigate transaction fees by providing customers with incentives to use cards that cost them less. American Express, however, has vowed to fight. In an October 4 press

release, the company stated that “the antitrust lawsuit filed today against the company is a significant retreat from previous Department of Justice efforts to promote competition in the payments industry.” The company also said that the DOJ’s proposed remedy would interfere with consumer choice at the check-out counter. Chairman and CEO Kenneth I. Chenault said in the press release that the DOJ’s ruling would promote regulation that would ultimately limit competition. “We have no intention of settling the case,” Chenault said. “We will defend the rights of our cardmembers at the point of sale and our own ability to negotiate freely with merchants. We are confident that the courts will recognize the perverse anticompetitive nature of the government’s case and that we will continue providing a competitive,

superior service to cardmembers and merchants.” AmEx said merchants that accept its cards will not be allowed to direct their customers toward other payment forms while the lawsuit is pending. The DOJ issued a civil investigative demand to Visa in 2008, seeking information about certain Visa acceptance rules, including those related to surcharging and discounting. A working group of state attorneys general issued a similar civil investigative demand in 2009. Both investigations ended October 4 with a consent decree that sets forth the terms of the settlement, subject to court approval. Visa says it will make formal rule changes after the court enters a final judgment following a public comment period, but will refrain from enforcing its current discounting rules in the interim.

info graph Merchants’ Average Fraud Losses by Payment Method, 2010 Debit Cards

Alternative Payment Methods

9% 22%

Fast Fact Checks

26%

43%

Credit Cards

Reprinted with permission from the 2010 LexisNexis® True Cost of Fraud Study

6 November 2010 | Transaction trends

Check-Capture App Takes Off Within the first 36 hours of its launch, PayPal’s mobile checkcapture app for iPhone 2.7 received more than $100,000. Source: The PayPal Blog

YOU’RE ON THE FIELD NOW GET INTO THE GAME Sign On with the Capital Access Network Team and WIN, WIN, WIN Sell working capital. Retain more processing customers. Earn additional commissions. Want to earn more money? Leverage your processing experience and current customer list by selling working capital. Choose Capital Access Network, parent company of AdvanceMe and NewLogic Business Loans, the winning team in the industry.

We Lead the Industry for a Reason Through its subsidiaries, Capital Access Network has paid out MILLIONS OF DOLLARS in commissions. There is a simple reason that we have been able to provide almost $2 billion in working capital to over 30,000 businesses – we treat you and your merchants well. We have been around since 1998 – so you can count on receiving your hard-earned upfront commissions and residuals. Plus, there are now two products you can sell, Merchant Cash Advances and Business Loans, increasing your close rates.

Act Now and Get $500 Join our ISO team and take full advantage of everything this lucrative industry offers. New ISOs can get a $500 bonus when two qualified* deals close between October 1 and December 31, 2010. Plus, find out more about our 1.299 ten month estimated turn program that pays commissions of 5 - 4 - 4.5!

Contact Kevin Duffy, SVP of Sales, at 215-284-6183 KDuffy@CapitalAccessNetwork.com www.PartnerWithCAN.com Smart Money for Small Business

*Qualifications based on Referral Agreement terms; offer applies to ISOs that did not submit a deal between January 1 – September 30, 2010.

ISO Corner

Easy Rewards

New loyalty programs put an end to card-carrying membership and leverage social networks By Julie Ritzer Ross

ver the past few years, customer loyalty programs have evolved from paper mode to a predominantly electronic model involving bar coded, magnetic stripe-emblazoned, or chip-bearing membership cards and tags. While these options remain appealing to many merchants, a new generation of loyalty offerings is emerging in the form of technology ISOs can sell to merchants as easily as their value-added reseller (VAR) competitors already do. “Cardless” and “tagless” customer loyalty solutions top the list of such innovations. For instance, Catonsville, Maryland-based Loyal-T now makes available through reseller channels a program dubbed PlumReward.To register for the program, customers either send a text message or enter their cell phone numbers into a hand-held PlumReward device installed at the point of sale. They then reply to a text message from the retailer or restaurant operator, confirming enrollment and inquiring whether they would like coupons and promotional information sent to their cell phones. During each subsequent visit to a given location, participants re-key their cell phone numbers into the PlumReward hardware upon making merchandise purchases or placing orders. The details of these transactions are captured, and once consumers have reached pre-set award levels, they are notified via text message. To redeem rewards, customers again input their cell phone numbers into the hand-held device, showing the result to a sales associate or server. Merchants in a variety of verticals have deployed PlumReward; many are small operators with franchised units of such chains as Hollywood Tan, Urban Suntanning, Arby’s, Subway, and Pizza Hut. One program user, a single-unit, franchised Moe’s Southwest Grill quick-service restaurant in Altamonte Springs, Florida, has signed up more than 2,000 PlumReward members since the system went live two years ago. Owner Neil Solomon attributes the feat largely to the 8 November 2010 | Transaction trends

says Pal Flagg, Street Savings’ COO. “Text message offers delivered to ‘opt-in’ customers are opened and redeemed more often, driving business for merchants and revenue for agents.” Smart Transaction Systems, of Boulder, Colorado, also has jumped on the cardless loyalty technology bandwagon with an STS text-messaging system that works in much the same way as Street Savings’ Mobile Rewards: Registrants’ cell phone numbers are used to track reward points accrual and reward redemption activities. Integration of merchants’ POS systems with the STS solution allows merchants to send text messages to consumers based on an event, such as recent purchases that entitle them to rewards, incentives, or discounts. In most cases, messages can be delivered to customers’ cell phones before they leave the store. fact that patrons are not forced to fumble for cards or key tags to participate in the program. Although he declined to quantify sales increases, Solomon says anecdotal evidence points to higher traffic counts and per-visit check totals.

Marketing the Message Similarly, Street Savings, an Orange, California-based mobile marketing solutions provider, has unveiled a cardless version of its Mobile Rewards platform. Under this umbrella, cardless loyalty program members register their cell phone numbers with participating merchants. Instead of presenting a card or key tag at the point of sale, participants state the appropriate number, and purchases are recorded accordingly. A “Set and Forget” feature allows merchants to automatically communicate with program enrollees via text messages, including “Miss You” (sent 21 days after consumers’ last purchase),“Halfway There” (indicating that half the necessary reward points have been accumulated), and “Reward Reached.” Participants also can send text requests for reward point balances to merchants; responses are issued immediately. “The growth of mobile is explosive,”

Going Social Loyalty programs featuring a social networking component, such as Facebook, Twitter, and Foursquare (an application that lets users inform friends that they have “checked in” at a particular location), also are emerging. LoyalTXT, introduced by Sundrop Mobile of Maitland, Florida, is one example. Like many other cardless offerings, loyalTXT utilizes customers’ cell phones and cell phone numbers in lieu of membership cards and key fobs. But the program goes one step farther by fully integrating with social networking platforms Facebook and Twitter. Users can complete a one-click online process to link their Facebook pages and Twitter accounts with the program. Once such connections have been established, loyalTXT posts relevant notices to customers’ Facebook walls and creates “Tweets” indicating that the person has joined the program or earned a reward. Users’ friends see these notifications, which include links they can click to become program members themselves. The viral nature of social networking platforms helps merchants’ loyalty pro-

Standing behind our partners keeps us in front. At First Data, we stand behind our partners with several programs designed to fit your business objectives, including a comprehensive Independent Agent program. Becoming an Independent Agent allows you the flexibility to build your

business with a complete range of resources, including unparalleled training, marketing, reporting and brand name recognition. And as always, our financial stability and industry leading products and services give you the support you need to meet your goals.

Stay in Front. Call 1-800-625-1766 or visit www.firstdatapartners.com/partners

ISO Corner grams to grow quickly, not only because it attracts the attention of younger consumers, but because it piques the interest of their equally social network-minded friends and acquaintances. “Social networking acts as another platform for keeping both the operator and the loyalty program fresh in customers’ minds,” notes Sundrop Mobile CEO Travis Priest, adding that his company is actively seeking ISO partners to sell the solution to retail and foodservice accounts alike. Meanwhile, Pearl River, New Yorkbased VAR/ISO pcAmerica can include a social networking tie-in when interfacing merchant clients’ loyalty programs with its retail or restaurant POS software. Earlier this year, pcAmerica forged the first such link—between Restaurant Pro Express and the TastiRewards loyalty program developed by Tasti-D-Lite, a 44-unit frozen dessert chain headquartered in Franklin, Tennessee. Members of the program can sign in online and connect their Twitter, Facebook, and Foursquare accounts to their loyalty account.When customers use their Tasti-D-Lite “TreatCard” when making a purchase, Restaurant Pro Express posts an automatic Tweet, Facebook notification,

and/or Foursquare “check-in” indicating that they have earned reward points. Early results of the program have already demonstrated far more potential for attracting and retaining a higher volume of customers than did the chain’s previous paper-based program, says David Gosman, pcAmerica’s CEO. Customer loyalty purchase activity has increased significantly in recent months, and the average social networking user reaches 91 friends or followers via automated TastiRewards messages. Gosman adds that ISOs would do well to position the social networking element as an essential piece of any loyalty program given consumers’ ever-growing tendency to be more discerning in their purchasing habits and, consequently, most loyal to those establishments with which they have a personal link. In a somewhat different twist, Social Rewards, a Torrance, California-based startup company, recently launched a loyalty platform of the same name. Designed to work with merchants’ or brands’ existing loyalty programs or provide a platform upon which clients can create and customize programs from scratch, Social Rewards monitors and tracks “check-in”

activity on Foursquare, as well as references to merchants on Twitter and Facebook.The latter include comments on clients’ Facebook fan pages and instances in which Facebook members click the “like” icon beside comments pertaining to their operations. “The premise of Social Rewards is to take existing brand loyalty program members that have social media tendencies and reward them for their loyalty and word-ofmouth activities with program points that can be redeemed for tangible goods and services,” says Joseph Morin, CEO. The social networking explosion, combined with consumers’ aversion to carrying multiple loyalty program membership cards, is paving the way for more convenient loyalty program participation.Those ISOs that explore new loyalty program avenues now, rather than later, stand the best chance of differentiating themselves from their competitors and establishing a strong reputation, as VARs do, for providing merchants with true “added value.” TT Julie Ritzer Ross is a contributing writer for Transaction Trends. Reach her at jritzerross@gmail.com.

Processing Network

The

10 November 2010 | Transaction trends

everywhere Payment GatewaySM

Real-World

12 November 2010 | Transaction trends

Ethics

[ COVER STORY ]

CREATING A PERSONAL CODE TO FOSTER SKILLED DECISION MAKING

By Ronald A. Howard, Clinton D. Korver, and Bill Birchard

n the 1970s, author Ron Howard, working as a decision-analysis consultant, was asked by a defense contractor to analyze which fighter plane the U.S. Air Force should choose for its fleet. The contract was big, lucrative, and appealing. The client remarked, “Of course, we all know how the analysis will come out.” Howard raised an eyebrow.Well, no, he had no idea. The contractor’s plane might easily be the best choice, but he would have to perform the analysis first. The unmistakable body language from the client, however, suggested Howard should give in to the temptation to skip a thorough analysis. Howard just needed to say yes to manipulating the results, and the contract was his. Howard realized as never before how technical and financial analyses don’t offer all that is needed for smart decisions. He turned down the job; he couldn’t be tempted to cheat. But the episode turned him to a provocative question: How does a person systematically analyze situations to make clear and correct ethical decisions? By learning a new way of thinking, in other words, we can all become skillful ethical decision makers. Specifically, we must master ethical distinctions to enable clear ethical thinking.We must commit in advance to ethical principles. And we must exercise disciplined decision-making skills to choose wisely.

But by breaking bad habits and forming new ones, we can remedy this flaw. Usually, ethical compromises stem from our being only vaguely aware of the scope of our indiscretions. Most of us are vulnerable to ethical transgressions—to dodge embarrassment, to impress friends, or to simply avoid the effort of thinking. In everyday affairs, we often dismiss minor ethical compromises.We slip into thinking that, for all practical purposes, we are ethically above reproach—at least we are almost above reproach.Almost, like the executive who misses an appointment and, embarrassed to admit the truth, tells colleagues he was out sick.Almost, like a manager who inflates a travel voucher to compensate himself for “hardship” on the road. Almost, like a boss who salvages his promotion by assuming credit for a subordinate’s work. Almost ethical, but not quite.And we say to ourselves,“What great harm is there?”The harm is not so much in the small ethical mistakes themselves. It is in practicing distorted thought. It is in making a habit of fooling ourselves. People often make ethical choices reflexively. In the throes of a dilemma, when we are short on time or energy to think about tough issues, we

Phil Banko/Getty Images

Peril of Faulty Thinking For love, money, or other “good” reasons, we often violate our ethics.We lie to, deceive, steal from, or harm others. And the cause is usually the same: faulty thinking. Unless we develop ethical reasoning skills, we get comfortable with transgressions. And we develop bad habits. While we are asleep at the ethical wheel, unhappy surprises almost always follow.

Get the full story on how to create your personal code of ethics. Order Ethics for the Real World at www.hbr.com or www.amazon.com.

Transaction trends | November 2010 13

[ COVER STORY ] let temptation blindside us. And we make snap decisions we regret. We also rationalize our reflexive responses, and we numb ourselves to ethical objections. We make a small compromise that serves as a precedent.That precedent leads to another, and then a third, and so on, until we lose sight of the principles we are violating. We dull our faculty for discrimination. In the worst cases, we put ourselves on a slippery slope to committing serious transgressions. While we often think of ethics as shaping character, it may influence relationships even more. Ethical compromises erect social and emotional barriers between people—barriers that stubborn are hard to discuss. Tainted character is bad enough; strained relationships can be worse. Ethical compromise creates both. The lesson is that it is better to choose instead of react, to develop sensitivity instead of numbness, and to heed the impact of ethical lapses on relationships. Many people you encounter may downplay the ramifications of inconsistent ethical conduct, especially when it comes to smaller compromises. On the path to becoming skilled ethical decision makers, however, we will find it helpful to take both big and small indiscretions seriously. Errors in thought are usually the same in both cases. For example, we may refer to lying as exaggeration, taking creative license, spinning. We may excuse ourselves as being lawyerly, forgetful, or tactful. But when we use euphemisms for such actions, we redefine them as less than wrong. This inculcates a risky thinking pattern, where we cloud our ability to reason—and sometimes erroneously assume the reasoning makes sense to those we deal with. In a Zogby International poll of 8,000 adults, 97 percent said they consider themselves trustworthy. On the other hand, only 75 percent consider the people they work with and live near trustworthy.The gap between these two figures may reflect more than perception. Behaviors that may seem ethical to us may not be considered so high-minded by people we deal with. Transgressions crop up in the lives of people across all levels of society. The individuals perpetrating them have all levels of education and work in all professions, 14 November 2010 | Transaction trends

that kind of person.’” The fact is, we are all that kind of person. We are they. Through thinking errors, denial, and rationalization, we can all be put in a position of selling our character for a pittance, of sacrificing our relationships for a song. That’s yet another reason why it is helpful to take a conscious, systematic approach to breaking risky ethical thinking habits—on even the small things.

Engineered Approach

For love, money, or other “good” reasons, we often violate our ethics. We lie to, deceive, steal from, or harm others. And the cause is usually the same: faulty thinking. trades, and industries. It is counterproductive to think we are not players on a landscape dotted with pitfalls we may stumble into ourselves.Temptation is everywhere— and so is compromise. One danger is that we will get caught up in a sequence of not just small temptations but big ones. Maybe they will be life changing or life threatening. Faulty thinking can lure us into wrongs we never imagined. Philip Zimbardo, a psychology professor at Stanford University, has for decades studied the genesis of evil. He writes,“Virtually anyone could be recruited to engage in evil deeds that deprive other human beings of their dignity, humanity, and life . . . we live with the illusion of moral superiority . . .We take false pride in believing that ‘I am not

Engineers start on a project by listing the needs of the people they are serving so that they can deliver a successful product or system.They then use fundamental principles of how people and systems operate to build a practical, satisfying solution. The same approach can be applied to ethics. People need decision-making tools that 1) offer clear ethical guidance, 2) are broadly applicable to everything from the most common to the most important ethically sensitive situations, and 3) are easy to understand and apply. Engineers like to solve a problem once, not over and over again. That’s why creating a personal ethical code is so important. It will guide your actions in most ethically sensitive situations. Instead of prescribing ethics, this approach invites you to develop your own and to take personal responsibility for them. Individuals of every persuasion need to figure out their own ethics according to their own inner voices. The book outlines how, but here’s a summary: • First, we must develop awareness of ethical temptation and compromise. We sensitize ourselves to the most common ethical temptations, to lie, deceive, steal, or harm. Our goal is to become aware of these temptations—and the unintended consequences of our transgressions. • Next, we must learn how to use ethical logic and principles to foster clear thinking.We learn the difference between prudential, legal, and ethical dimensions of an action; between positive and negative ethics; and between the action-based and consequence-based schools of thought. Our goal is to become thoughtful about ethical reasoning. • We learn to identify the ethical principles we have derived, consciously or uncon-

sciously, from our religion, upbringing, and culture. We also learn to identify the gaps where our existing principles give inadequate guidance. Our goal is to become mindful of our inner voice. • At this point, we learn to make ethical choices. We identify the common ethical challenges in our life, evaluate them with ethical reasoning skills from the second bullet point above, and commit to new ethical principles. Our work is akin to setting up a filing system: Once we allocate our ethical challenges to proper folders, we don’t have to evaluate them anymore. Our goal is to create an ethical code. We can then use the code to make disciplined, life-enhancing decisions. • Next, we learn the three-step process for creative ethical decision making: Clarify the ethical challenge, generate creative alternatives, and evaluate alternatives to choose defensible, ethical responses. Our goal is to become skilled and decisive. • In the final phase, we learn to go beyond

ethical basics to using ethics as a lever for better living. Instead of using the threestep process just to do the “right thing,” we strive to use it to do the “best” thing. We learn to seek the whole truth of our behavior, reframe situations to focus on relationships, and use the “loved one” test. Our goal is to transform our personal life through wise ethical choices. • We learn to do the “best” thing at work as well in our personal lives. We again use the whole truth concept, reframe situations to focus on relationships, and adopt the “loved one” test. Our goal is to transform our work life through wise ethical choices. We all yearn to realize the best in ourselves. What confidence can we have that we are succeeding if we feel uncertain about whether we are making ethical decisions the right way? By developing new thinking habits, we learn how to respond intelligently to ethical challenges and live lives of meaning and integrity.

Applying decision analysis to ethics offers a new avenue to making ethical decisions.As unskilled ethical decision makers, we can end up shaving off pieces of ourselves in order to live with ethical compromises. But as skillful decision makers, we can embrace our full selves and live simpler, more satisfying lives. Whereas we start our journey to effective ethical thinking with an uncomfortable flaw, we end up correcting that flaw and feeling comfortable in our own skin—and deepening our relationships with friends, family, and coworkers. TT Reprinted by permission of Harvard Business School Press. From Ethics for the Real World: Creating a Personal Code to Guide Decisions in Work and Life by Ronald A. Howard, Clinton D. Korver, and Bill Birchard, Boston, MA, 2008. Copyright © 2008 by the Harvard Business School Publishing Corporation; all rights reserved.

Learn Without Leaving Your Desk A new series of online, cutting-edge, educational seminars to help enhance your knowledge in a wide variety of payment topics.

Choose the online course that’s right for you:  Introduction to Electronic Processing  Introduction to Sales and Marketing  Introduction to Operations  Sales Channel Development

Member $195/each Non-Member $295/each Register online:

www.electran.org Or call ETA:

1-800-695-5509

Transaction trends | November 2010 15

Electronic Transactions Association CODE OF CONDUCT The Electronic Transactions Association (ETA) and its members are committed to promoting the highest level of individual professionalism, integrity, and skill in the transaction processing industry. ETA encourages fair, healthy, and lawful competition within the industry and amongst its members. The principles advanced herein foster the tenet that professional relationships based on ethical behavior are critical to the industry’s success and continued growth. 1. Professionalism: Members of the ETA are committed to uncompromising integrity. The cornerstone of the transaction processing industry’s reputation should be personal integrity with ETA members dedicated to the principles of honesty, excellence, responsibility, compassion, citizenship, fairness, and respect. An individual’s success within the transaction processing industry is dependent on trusting relationships. Members of the ETA shall: a. Exemplify the highest professional standards and business ethics; b. Engage in appropriate competition, utilizing marketing materials that are truthful, in good taste, and free of false or exaggerated statements; c. Be aware of and comply with antitrust laws; and d. Maintain careful attention to product and service quality, realizing these have a direct and substantial effect on merchants. Members of the ETA shall not improperly obtain proprietary information from a competitor, nor engage in price-fixing, coercion, collusion, or any other illegal act.

utilize products and services that drive the industry to higher levels of performance, accuracy, and security. 3. Responsibility to Merchants: ETA members shall diligently and honestly promote the best products and services for merchants who accept electronic payments. Members with direct merchant relationships shall advise merchants regularly on changes in the industry, regulations, rules, and compliance issues. Members utilizing sales representatives to call on merchants will take proactive and decisive steps to ensure the clarity of offers and commitments to merchants, will not abuse the trust of merchants, nor exploit the lack of experience or knowledge of merchants. Members will assume responsibility for their sales representatives and ensure sales practices employed adhere to the highest level of professionalism and integrity. ETA members shall not place their needs and desires above those of the merchant in the performance of work for that merchant.

2. Knowledge: Members of the ETA value and actively promote a culture of knowledgeable professionals within the electronic transactions industry.

4. Security: The very nature of the industry dictates a high level of respect for the confidentiality and protection of electronic transaction data. ETA members hold paramount the responsibility and accountability for the proper use, storage, and control of confidential transaction data stored by members.

Members of the ETA shall:

a. Continuously acquire payment industry expertise, embrace change, and respond appropriately;

a. Take affirmative steps to comply with all industry standards to ensure that such information is strictly safeguarded.

b. Promote ongoing education and knowledge enhancement; and

b. Immediately notify the appropriate authorities and proper industry personnel should they suspect a compromise or breach in security protocols.

c. Continually research, develop, and

16 November 2010 | Transaction trends

5. Business Conducted Between ETA Members: In the course of conducting business in the electronic payment processing industry, ETA members will have intricate relationships with each other in the form of suppliers, customers, and service providers. Integrity must underlie all of these relationships. Members of the ETA shall: a. Treat colleagues and competitors with respect regardless of race, religion, disability, age, or national origin. b. Ensure their sales representatives, contractors, and employees are aware of and abide by this Code of Ethics. 6. Impact on ETA: ETA members shall not engage in any conduct or activity that reflects poorly on the ETA, besmirch ETA’s reputation, or otherwise cause embarrassment to the ETA. 7. ETA’s Role: The ETA will sponsor a committee comprised of its members to address “best practices” in the industry and amongst its membership. The ETA encourages its membership to contact the Best Practices Committee with questions or concerns and allow this committee to collectively respond.

A N O T H E R D A Y, A N O T H E R 3,0 0 0 C R I S E S A V E R T E D.

When a POS system goes down, nothing is more important to your client than getting back in business fast. With Inventory Management Services from TASQ, your customers can quickly access and manage warranty and repair services while enjoying the benefits of real-time reporting and same-day shipping. All so they can keep their business up and running and you can keep them happy. Discover just how deep TASQ resources are. Visit www.TASQ.com/lp/sales or call 800.827.8297

[ FEATURE]

PINning Hopes on e-Commerce Debit New software-only solution breathes life into online payment options By Richard H. Gamble

KEY NOTES 8

F or an ISO or acquirer sales force, PIN debit means they have a differentiated product to offer merchants with Internet business that will lower interchange, reduce chargebacks, allow merchants to run a cleaner back office, and allow them to accept payment via several PIN-only debit cards that their customers previously could not use.

S o far, the no-hardware Acculynk approach to PIN debit has been embraced by the industry with one notable exception: Visa.

S ince ISO revenue depends on the markup over the wholesale network charges, ISOs theoretically can price PIN debits in light of their profit targets and market competition. However, new government regulation has cast some doubt over whether ISOs and acquirers will be able to apply market-based pricing. The Durbin amendment contained in the Financial Reform Act promises to bring the Fed into debit pricing and tie prices to costs by some formula yet to be worked out.

18 November 2010 | Transaction trends

or the past 15 years, electronic funds transfer (EFT) networks and merchants have been searching for an e-commerce PIN debit solution. Marred by inconvenient, cumbersome attempts, the prospects for consumer-friendly, PIN-based, online transaction verification seemed just beyond the industry’s grasp. But new software-only solutions could be making that elusive dream a reality. One such solution, PaySecure, is getting a lot of attention, says electronic payments consultant Les Riedl, president of Speer & Associates, Atlanta. “PaySecure is done exclusively with software. It’s convenient for cardholders, and it works. It has been endorsed by all six of the major EFT networks, and recently MasterCard announced that it would use PaySecure for PIN debit. It’s the solution the industry has been waiting for.” For an ISO or acquirer sales force, PIN debit means they have a differentiated product to offer merchants with Internet business that will lower interchange, reduce chargebacks, allow merchants to run a cleaner back office, and allow them

to accept payment via a lot of PIN-only debit cards that their customers previously could not use for online payments, says Ashish Bahl, chairman and CEO of Atlanta-based Acculynk, which invented and markets PaySecure.“And they won’t need separate contracts with acquirers and processors,” he says.“PIN debit can ride right along with their credit card processing arrangements.” Here’s how it will work: If an online shopper chooses something to buy and puts in a debit card number, the card is processed as signature debit unless Acculynk supports that issuer, in which case cardholders get a screen that gives them the option to enter their PIN on a patented graphical PINpad using their mouse. If they put in the PIN and it is authenticated, the purchase settles as a PIN debit. If no PIN is entered, it settles as a signature debit, Bahl explains. The cardholder uses his or her same, constant bank-issued PIN every time, but the PIN-pad scrambles the digits each time the shopper clicks on a digit. However, the real security is not scrambling the order of the PIN digits but the encryption around the whole transaction, he notes.

Bright Prospects Objective experts agree that e-commerce PIN debit has the potential to be a big hit. Merchants favor PIN debit because it costs them less than credit card transactions or even signature debit transactions, says Riedl. The EFT networks favor PIN debit because it would settle over their networks. PIN debits also fit nicely with the growing consumer preference for debit over credit, and consumers like the additional security that the PIN represents, he explains. For years, industry players have acknowledged that e-commerce PIN debit could be a gold mine. But finding a way to do it

a pseudo account number that they then use at the merchant site when paying with debit. But this process also proved too complicated to gain traction. The surprising swing in popularity from credit to debit transactions certainly has increased the rewards for an online PIN debit solution. In the early years of e-commerce, buyers preferred credit because it put borrowed money at risk, not the funds in their checking accounts. Now, they’re looking for a “spend card, not a lend card,” fearful of running up credit card balances at a time when debt is scary for many, Riedl says. “People feel they have more control over their personal finances when they use debit cards,” he notes. Since e-commerce has grown to a $300 billion industry, the stakes are high. “It’s a huge market,” Riedl says. “If PIN debit can win a third of it, that’s $100 billion. I expect PIN debit to grow quickly and that PaySecure will be the vehicle that is used.” So far, the no-hardware Acculynk approach to PIN debit has been embraced by almost the entire industry. Acquirers get something new and popular to sell, Bahl claims. Issuers make the same money they would with the rebates they get on signature debits. Merchants like it because it costs them less. The EFT networks like it because it brings them traffic. Discover owns Pulse, so it is on board.American Express has no debit product. MasterCard just announced that it would support PaySecure. Only Visa, which owns 80 percent of the signature debit market, is staying aloof if not hostile, he suggests. didn’t come easily.“There have been plenty of attempts,” Riedl says. In 2000, NYCE tried to score with SafeDebit, but it required the buyers to have discs that they would put in their computers and use a special password or PIN that they would then enter at the merchant Web site. It was too convoluted a process for consumers to embrace. After that, there were attempts at hardware-based solutions that required buyers to have card readers and PIN-pad attachments for their computers. More recently, NYCE came out with a new SafeDebit process that requires consumers to log-in to their online banking account to generate

Happy Merchants If PIN debits can take over Internet commerce, it will make merchants happy. Visa Interlink PIN debits are based on a percentage of the transaction amount plus a per-transaction fee and may be capped at a flat rate per transaction based upon a retailer’s merchant category and transaction volumes. Depending on their volumes, merchants may negotiate lower rates with some of the PIN debit networks, reports Chuck Fillinger, an independent consultant based in Boca Raton, Florida, and an associate of The Strawhecker Group, Omaha. Transaction trends | November 2010 19

[ FEATURE] Signature debits, on the other hand, are calculated at a higher percentage of the transaction plus a flat rate per transaction and are only capped in a few merchant categories, which usually makes them considerably more expensive than PIN debit but less expensive than credit for the merchant, Fillinger explains. Many merchants have made PIN debit the default payment choice and prompt shoppers to supply PINs, he explains. Merchants also like the prospect of fewer chargebacks. When cardholders enter their PIN, it is difficult for them to dispute the purchase, Bahl points out. While PaySecure is new and still relatively small, it is up and running, not just a concept or an experiment being tested in small pilots. Issuers already have 20 million debit cards in circulation that work with Acculynk, and that card count was set to greatly expand in October, Bahl reports. And 1,000 merchants are already live with the product.

Cashing In As online PIN debit moves mainstream, ISOs, sub ISOs, and the merchant-level sales force will want to know how to get on the bandwagon. For ISOs to offer a PIN debit option to their merchants, that option would have to be supported by their gateway provider in most cases, says Donna Embry, senior vice president for strategic product development at Payment Alliance International in Louisville, Kentucky. Signature debit transactions are simpler to support because they mimic credit transactions until the end of the process, when they are debited from a bank account instead of added to a credit balance. To prepare for online PIN debit, ISOs should think through their business plan and make sure they understand how the PIN debit processor operates, what it will take to set up their online merchants to take PIN debit, what the wholesale pricing will be, and what kind of a mark-up they will add to control their profit margin, Riedl says.They should plan how they will present the value proposition to their merchants, anticipating that merchants will want to drive as many transactions as possible to PIN debit settlement because it gives them guaranteed payment at a lower cost than credit or signature debit transactions. 20 November 2010 | Transaction trends

“Regulatory changes may motivate merchants to steer buyers toward PIN debit but unless cardholders like it, it won’t be a success.” —Greg Cohen, Moneris USA

“It will be another bug that shows up on the merchant Web site,” Riedl notes. The bandwagon may never get rolling, cautions Greg Cohen, president of Moneris USA, Chicago.“The jury is still out on whether cardholders will want to put their PINs on the Internet,” he says. Regulatory changes may motivate merchants to steer buyers toward PIN debit but unless cardholders like it, it won’t be a success, he says. Moneris has yet to plot its e-commerce PIN debit strategy.“There is a lot of regulation involving routing still to come. We’re waiting to see what happens rather than make decisions prematurely,” Cohen says.

Pricing Strategies It’s not hard to see why ISOs might push online PIN debit: potentially fatter profit margins. “We give the acquirers a wholesale rate,” says Bahl. “If they want to give this product away to capture the merchant’s other card business, they might not make a lot of money on PIN debit transactions, but they’ll have won a merchant’s entire card business. If they take the fair-market-value price that we suggest, they can make more per transaction on PIN debit than they make on credit card transactions. PIN debit is inherently less expensive, so that allows room for the merchant to see real savings and the sales acquirer/ISO to make a little

bit higher profit margin.” Cohen sees it differently.“You have two different pricing models,” he notes.“Credit and signature debit traditionally allow ISOs and salespeople to make a spread, based on the size of the transaction. PIN debit would allow them to make transaction fees of a few cents. Significant growth on PIN-based debit would cannibalize other payment methods and degrade the margin for sales organizations, but they could use it to capture share shift.” Since ISO revenue depends on the markup over the wholesale network charges, ISOs theoretically can price PIN debits in light of their profit targets and market competition, Embry says. Historically, PIN debits have been a real bargain for merchants, but the EFT networks have been raising fees lately, so the gap between PIN and signature debits has narrowed, she points out. However, new government regulation casts some doubt over whether ISOs and acquirers will be able to apply marketbased pricing.The Durbin amendment contained in the Financial Reform Act promises to bring the Fed into debit pricing and tie prices to costs by some formula yet to be worked out, Embry says. The Durbin amendment requires the Fed to apply cost-based pricing for debit fees, but it exempts banks with under $10 billion in assets, Fillinger explains. But most debit cards—around 80 percent—are issued by the 100 or so largest banks that are not exempt.The new standard requires fees to be “reasonable and proportional,” he says. How the Fed will interpret that remains to be seen, but it could be applied bank by bank, which could result in a variety of fee structures. If that formula treats PIN debits as costing about the same as checks, the price of PIN debits could fall, bringing back the bargain for merchants and increasing their desire to drive as many payments as possible to the PIN debit option, Embry predicts. If that happens, banks could levy new fees on cardholders to make up much of the difference, and consumers may shift their preference to alternatives like ACH debits or prepaid cards, she suggests. TT Richard H. Gamble is a contributing writer for Transaction Trends. Reach him at gamble10@earthlink.net.

Startup Stories:

Final installment of series following three newly launched ISOs. Stay tuned for profiles of successful and established ISOs.

A Year in the Life… Our three startup ISOs reflect on their lessons learned over the past 12 months By Julie Ritzer Ross

rom boarding more merchants than initially anticipated, to tapping into unexpectedly lucrative new markets, establishing a new ISO has its rewards. It also presents its share of challenges, which can include, but are not limited to, less-than-fruitful partnerships and financial headaches.These are among the lessons our startup ISOs have learned over the past year as we have followed their progress. “Over the past year, we have been able to continue building a business of which we can be proud,” says Steven Feldshuh, vice president of business development for Paymint Associates (formerly Paymint Partners) in Brooklyn, New York. Feldshuh notes that he and his partner, George Sarantopoulos, have been able to achieve many of the goals they set out to accomplish when they entered the industry, despite the admittedly unforeseen economic downturn and its devastating effect on businesses, decreased processing volume, and the closing of a few merchant clients’ doors.

Making Big Strides When Feldshuh and Sarantopoulos launched their venture, they believed they had a good idea of what they wanted to accomplish, and in many ways, they have made great strides. For example, at Paymint Associates’ inception, Sarantopoulos was already working with a network of ATM dealers, primarily in the New York/New Jersey/ Connecticut area.The duo sought to persuade some of these dealers to team up with their new company by reselling credit card processing services as an adjunct to ATMs. Intrigued by the prospect of generating additional revenues, many took the bait—bringing new merchants to the portfolio. Feldshuh has since recruited several of Sarantopoulos’ original ATM distributors to become referral agents. The ISO has also fared well in its quest to amass and concentrate on a core group of products and services to promote to merchants, rather than to strike out in too many directions at the same time. “We realized that if we tied a few good products together and stayed focused on them, we would be more successful than if we tried to be all things to everybody,” Feldshuh recalls.“For instance, we decided that cash advance and loan products, if structured fairly, would be terrific, natural add-ons to credit card processing and the ATM piece.We have started building a relationship with Principis Capital

» Leap Payments, Agoura Hills, CA » Paymint Associates, Brooklyn, NY ISOs We’re Following:

of New York City, using the company’s very fairly priced platinum program. Our core business will always be credit card processing, but sometimes in order to be able to finance a new POS system, or to help keep a merchant afloat, these advance programs can be of utmost importance.” Over the past few months, the ISO has been slowly introducing its salespeople to the concept of combining POS equipment sales with credit card processing and using a cash advance or a loan for financing. Up Solution, a POS equipment vendor based in Hackensack, New Jersey, has played an integral role in teaching Paymint Associates’ management the in’s and out’s of POS technology. While many initiatives played out exactly as Feldshuh and Sarantopoulos had hoped, there were others they would approach differently if given a second opportunity. Notably, in its initial incarnation, Paymint Associates was a registered ISO of Global Payments.“We thought that by being in a direct registered relationship with Global Payments, we would have a better situation to ‘offer out’ to our sales partners,” Feldshuh concedes.“However, we had underestimated the cost of having to do business on a direct relationship basis. Specifically, paying for support became very expensive.” Fortunately, Global Payments allowed the partners to extricate Paymint Associates from the arrangement at a fair price, in turn freeing them up to transition their book of business to global ISO Payment Alliance International (PAI).The latter’s price structure covers every element for which Paymint Associates had been paying Global Payments on an á la carte basis.“Yes, we took a hit on the percentage of residuals collected, but the loss in percentage was greatly offset by reduced operating costs,”Feldshuh says.“Additionally, we were able to significantly improve upon the percentage of deals being approved. Transaction trends | November 2010 21

Startup Stories

We also re-registered with HSBC Bank and the associations through PAI in order to be able to continue to build our brand.” The alliance with PAI paved the way for attaining another goal: attracting a cadre of “seasoned sales partners who understood the value of receiving a very favorable residual split.” Since the transition from Global Payments to PAI was executed several months ago, Paymint Associates has been able to start building this group while simultaneously offering a cash incentive for each account activated. On the flip side, the ISO continues to encounter the cash flow difficulties stared down by most electronic payments industry newcomers. While bringing in an outside investor would enable the company to eliminate some of these problems and grow the business at a more rapid pace. However, the principals don’t want to lose ownership control of the business. “Instead, we are building slowly, but building a very strong foundation,” Feldshuh explains.“We are extremely optimistic about our potential going forward. We have a great team who care about the company. Our program is very competitive. We look for partners who appreciate a transparent, open-book policy. We are looking to help any of our group, whether in New Mexico, Florida, Massachusetts, or our local area, to build their own sales organizations.

Finding a Better Way Like Paymint Associates, A goura Hills, California-based Leap Payments Inc. has achieved or exceeded many of its first-year objectives. Notably, the ISO’s original business plan allowed for a six-month interval between its inception and “being completely up and running,” says CEO Will Detterman. However, Leap Payments was writing business only three months after opening its doors, and its portfolio is growing monthly with zero attrition. While Detterman attributes some of this feat to his cadre of industry contacts, as well as to the efforts of a team of behind-the-scenes employees, he deems the components of an operating model designed to distinguish the ISO from the pack equally significant catalysts for his venture’s rapid success.These encompass interchange plus pricing with no startup fees or hidden charges, next-day (12-hour) funding, simplified account management services (includ22 November 2010 | Transaction trends

LET US PROFILE YOUR ISO Watch this space for our new series on successful ISOs. Let us tell your story. E-mail abrady@ strattonpublishing.com if you’re interested. ing consolidated monthly statements for all card types), and complimentary reviews of merchants’ statements from other ISOs to identify areas of potential savings by switching to Leap Payments. “From a business perspective, quickly meeting our processing volume goals was a huge milestone, and seeing the portfolio grow every month with zero attrition has been tremendously rewarding,” Detterman observes. “It’s rewarding to hear our merchants tell us that their effective rate has decreased, so clearly they now know what really matters and know their real costs to accept cards. Our net promoter score is off the charts, and we see the results every day as our clients help us get the word out and refer their friends to us.” He adds that interchange-plus pricing has traditionally been available only to large, high-volume entities rather than small merchants, and still is not the typical model for ISOs of Leap Payments’ size.The company’s portfolio currently includes more than 2,000 merchants whose credit card transaction volumes average $500 to $500,000 per month. “Yes, we’re taking a big chance with this plan, and we’re making less money on every merchant this way,” Detterman concedes. “However, it’s a way to set ourselves apart from everyone else that handles our market, with payback being the ability to bring more permanent ‘client partners’ to the table.” As for challenges, determining which areas warrant investment, and how much, has topped the list. Some opportunities that appeared to have great potential turned out to be such a waste of time that Detterman would never entertain them if the business were still at the starting gate. Others that required no financial expenditure whatsoever materialized into significant revenue generators. In the former category: attempting to work with external sales representatives who claimed they could bring to Leap Pay-

ments myriad deals, but never fulfilled their promises. By contrast, the free statement reviews, which involve little effort on the ISO’s part, continue to attract new merchant clients. “The lesson here is, you never know which opportunity will end up producing the greatest result,” Detterman notes. He adds that in hindsight, he would plan for initial startup expenditures to run 20 percent to 50 percent higher than originally projected.“Just like building a house, building a business takes longer and costs more than you ever imagined,” Detterman observes.

Making a Change Continued growth is also on the table at CAM Commerce Solutions in Fountain Valley, California. A provider of highly integrated retail and payment processing solutions, CAM moved into the ISO space earlier this year, with Richard Davis serving as director of business development. Davis was previously vice president of business development at Orem, Utah-based Express Transact, which he founded last year. “As great as things were going at Express Transact, we were focusing so much on our proprietary platform and the micro merchant businesses that we were falling behind on where we ultimately wanted to go with larger, enterprise-level merchants,” Davis says.“CAM Commerce was seeking to move in that direction in line with starting up on the ISO side, so for me the change was right.” For the past few months, Davis has been concentrating on promoting CAM Commerce’s X-Charge payment platform and merchant PCI compliance initiatives. Express Transact still serves merchants, but will concentrate almost exclusively on its proprietary e-commerce platform. New Express Transact merchant clients seeking services that transcend the platform will be referred to CAM, under terms of a partnership between the two organizations. “In the ISO space, as everywhere, events don’t always play out as expected,” Davis concludes.“Yet often, as in this case, change is for the better.” TT Julie Ritzer Ross is a contributing writer for Transaction Trends. Reach her at jritzerross@gmail.com.

Comprehensive Card Based Solutions.

www.ftpsllc.com 513.534.5160 For over forty years, Fifth Third Processing Solutions has been a premier source of payment acceptance services for leading businesses nationwide. Partnering with over 180,000 locations worldwide, no one is better suited to help with your payment processing needs. FIFTH THIRD DIRECTSM | PROPRIETARY/PRIVATE LABEL PROGRAMS GIFT CARD AND LOYALTY PROGRAMS | AGENT BANK PROGRAM CREDIT, DEBIT AND ELECTRONIC BENEFITS TRANSFER (EBT) ACCEPTANCE

DATA ISO Corner SECURITY

PCI Security Scanning 101

Answering merchants’ questions about vulnerability assessments By Brad Caldwell

or smaller merchants that frequently have difficulty understanding why they need to comply with PCI Data Security Standards (PCI DSS), not to mention how to do it, PCI security scans arguably rank as the most mysterious step in the process. Tell a business owner that he needs an “external vulnerability assessment scan,” and you will likely be greeted with a blank stare in return.Yet at least three merchants out of every 10 require scans for PCI compliance validation.That includes businesses with e-commerce operations as well as other servers and systems with Internet connectivity. Given the large numbers of merchants with technology infrastructures that must be scanned under PCI rules, acquirers and ISOs should have a basic understanding of what is involved and be able to explain the procedure in simple terms.The following Q&A is designed to help you demystify the topic, prepare your merchants for the scanning process, and convey why scans are important for security assurance.

Q: What is an external vulnerability assessment scan? A: It’s a fancy name for an automated test that is performed remotely over the Internet to identify weaknesses in merchant systems and security procedures that can be exploited by hackers to pilfer customers’ cardholder data. These can include vulnerabilities and misconfigurations of Web sites, applications, servers, and other equipment with Internet-facing Internet protocol (IP) addresses.

Q: What’s a vulnerability, and how many are there? A: Figuratively speaking, a vulnerability is a hole in the merchant’s security systems that hackers can slip through to reach cardholder data. It may involve the way the firewall is configured, failure to apply an updated software patch that plugs 24 November 2010 | Transaction trends

the latest “holes” identified by industry experts, older software that is no longer supported and therefore unprotected against the latest methods of attack, or a host of other issues.There are thousands of vulnerabilities listed in sources like the National Vulnerability Database managed by the Department of Homeland Security’s National Cyber Security Division— each one representing a door that must be locked against an attacker.

depending on your vendor agreement.) If not, the answer is that scans must be performed by an Approved Scanning Vendor (ASV) recognized by the PCI Security Standards Council (PCI SSC). ASVs must pass a series of tests to prove their qualifications and also must be recertified every year. All current ASVs are listed at www.pcisecuritystandards.org/qsa_asv/ find_one.shtml.

Q: Who performs these scans? A: If you’re talking to a merchant about

A: Any merchant that stores, processes, or transmits cardholder data over the Internet must have periodic scans. Even if the merchant does not offer Internetbased transactions, basic functions such as e-mail, employee Internet access, and remote administrator access can provide unprotected pathways into merchant systems and potentially expose cardholder data if not properly controlled.

PCI security scans, you probably have a PCI compliance program and are using a PCI vendor like SecurityMetrics that is certified to perform these scans. If so, you can simply tell the merchant that your PCI vendor will handle the job as part of your PCI program. (The scan will or will not be included in the yearly fee,

Q: Who needs PCI security scanning?

DATA ISO Corner SECURITY

Q: How does the merchant know that he needs scanning? A: Ask your ASV. The precise answer is that it depends on which Self-Assessment Questionnaire (SAQ) the merchant must complete, based on the business’s payment infrastructure. If it’s SAQ C or SAQ D, scanning is required. In general, this applies to merchants with payment applications connected to the Internet and those with more complex payment environments.

Q: Why is it necessary for merchants to both complete the SelfAssessment Questionnaire and undergo vulnerability scanning? A: These two components of the PCI compliance process work together, much like a resume and a face-to-face job interview. The SAQ is essentially a profile of the merchant’s technology setup to determine whether system security design, procedures, and implementation comply with the specific technical requirements of the PCI DSS. The vulnerability scan tests the merchant’s systems by simulating what a hacker would do to try to breach the merchant network.

Q: How often are scans required? A: According to PCI requirements, scans must be conducted quarterly at a minimum, with additional scanning if there are changes to the merchant’s technical environment such as the addition, configuration, removal, or modification of any system application or hardware devices.Any of these scenarios may create new vulnerabilities that must be checked for the merchant’s protection. Also, new vulnerabilities are discovered daily so merchants can benefit from additional scans. Most ASV contracts provide unlimited scanning for a flat fee, creating no additional burden on the merchant for extra scans.

Q: What merchant systems are scanned? A: The specific systems scanned are determined by the IP addresses in the merchant’s technology infrastructure that store, process, or transmit cardholder 26 November 2010 | Transaction trends

Most data compromises involve poorly configured firewalls on the merchant’s payment system and/or poorly designed Web sites that are not adequately protected against hackers. data. Scans may include firewalls, external routers, Web servers, application servers, domain name servers, mail servers, virtual hosts, and wireless access points.

Q: How long do these scans take? A: A thorough scan will typically take more than two hours, depending on the merchant’s cardholder data environment.

Q: Are there any security weaknesses that a scan cannot detect? A: External vulnerability assessment scans search exclusively for security weaknesses that can be exploited from outside the merchant’s business via the Internet.They can’t detect internal vulnerabilities such as an employee who is skimming card data.This is why the Self-Assessment Questionnaire goes hand-in-hand with scanning to provide comprehensive data security.

Q: Does scanning interfere with business? A: No. Like antivirus scans designed to protect personal computers, PCI security scans operate in the background and should not impact the merchant. In addition, the scanning procedures established by the PCI SSC state that the ASV should not impact the normal operation of the merchant environment.

Q: How are results reported? A: Results are securely posted online immediately after the scan is completed, using a format provided by the PCI SSC. Merchants can access their test results using their assigned passwords and share their results with their associated acquirers and ISOs.

Q: If the merchant fails a scan, what happens? A: A failed scan is an early warning signal that can help avert a security breach down the road. Merchants can use the results to strengthen their defenses against Internet attacks as well as reduce the risk of PCI fines. Once a business owner knows that a software patch is out of date, for example, he can take corrective action to prevent a hacker from using that particular path to his data door. Then the merchant can rescan to validate the business’s PCI compliance for the quarter.

Q: How effective are scans against hackers? A: At the end of the day, most data compromises seen by SecurityMetrics’ forensic team involve poorly configured firewalls on the merchant’s payment system and/ or poorly designed Web sites that are not adequately protected against hackers. External vulnerability assessment scans can detect both problems. In other words, if all merchants had their systems scanned regularly, card thefts would be virtually eliminated. At an average merchant cost of less than $200 per year, it’s a small price to pay to avoid PCI fines, the cost of forensics investigations, fraud reimbursements, card reissuing costs, and damage to the business’s reputation. That’s the message you want to get across to your merchants: Scanning saves. TT Brad Caldwell is CEO of SecurityMetrics, a provider of PCI DSS security solutions. For more information, visit www. securitymetrics.com.

ETA 2009-2010 BOARD OF DIRECTORS OFFICERS PRESIDENT Holli Targan Partner Jaffe, Raitt, Heuer & Weiss, P.C.

Kim Fitzsimmons Senior Vice President–First Data Services First Data Corporation

Advisory Council Robert Baldwin President & CFO Heartland Payment Systems, Inc.

Heidi Goff Senior Vice President, Global Strategic Accounts The Americas Hypercom, Inc.

Joe Cohane CEO Veracity Payment Solutions

PRESIDENT-ELECT Rick Pylant President & Chairman COCARD Marketing Group, LLC

Robert McCullen CEO Trustwave

TREASURER Eddie Myers President & COO Payment Processing, Inc. SECRETARY Roy Banks CEO ACCELERATED Payment Technologies™ IMMEDIATE PAST PRESIDENT Nick Baxter Senior Vice President First National Bank of Omaha DIRECTORS Todd Ablowitz President Double Diamond Group

Jeff Rosenblatt President EVO Merchant Services Debra Rossi Executive Vice President Merchant Payment Solutions Wells Fargo Bank Dave Siembieda President & CEO CrossCheck, Inc. Tom Wimsett President & CEO National Processing Company

Dean Leavitt Chairman & CEO Unicorn Partners, LLC

ex-officio Carla Balakgie CEO Electronic Transactions Association Jan Estep President & CEO NACHA Sameer Govil Head of Acceptance Solutions Global Acceptance Visa

Ed Myers U.S. President Global Payments, Inc.

Matt Johanson Vice President Acquirer Relations Discover Network

Deana Rich President Rich Consulting

Steve Carnevale Senior Vice President/ Group Head Commerce Development MasterCard Worldwide

Kurt Strawhecker Executive Partner The Strawhecker Group Buzz Stryker President & CEO POS Portal, Inc.

Bryan O’Malley Vice President American Express LEGAL COUNSEL Dave Goch Attorney at Law Webster, Chamberlain & Bean

Greg Cohen President Moneris Solutions

Advertisers index Company AmeriMerchant Authorize.Net Capital Access Network, Inc.

Page

Phone

Web

212-779-2100

www.amerimerchant.com

866-437-0491

www.authorize.net

770-590-7566

www.capitalaccessnetwork.com

Cynergy Data

800-933-0064 x5147

www.cynergydata.net

eProcessingNetwork

713-880-0326

ssotis@eprocessingnetwork.com

Fifth Third Processing Solutions

513-534-7678

www.ftpsllc.com

800-735-3362

www.firstdata.com

First Data Corporation/TASQ

800-735-3362

www.firstdata.com

Merchant Warehouse

800-749-2173

www.merchantwarehouse.com

800-617-4850

www.nmi.com

Security Metrics

801-724-9600

www.securitymetrics.com

Total Merchant Services, Inc

888-84-TOTAL x9727

www.totalmerchantservices.com

First Data Corporation/Partner Sales ISO

Network Merchants Inc.

TransFirst

214-453-7711

www.transfirst.com

USA ePay

866-872-3729

www.usaepay.com

Transaction trends | November 2010 27

Industry Insider

Education, Engagement, and Empathy 3Delta Systems’ emphasis on the “three Es” meets B2B and B2G needs By Bryan Ochalla

lients tend to sign with the Chantilly,Virginia-based payments processor 3Delta Systems for one of three reasons, says Aaron Bills, founder and chief operating officer. “One, they want to increase their PCI compliance through tokenization,” he says of his company’s predominantly business-to-business (B2B) and business-to-government (B2G) customers.“Two, they’re trying to reduce their costs through better interchange qualification. And three, they’re looking to gain operational efficiencies.” Sometimes, clients ask 3Delta Systems to assist them with all three. “That’s one thing we tell our clients all the time: You don’t have to choose just one, you can have all three.You can be more secure, you can reduce your card fees, you can increase your operational efficiencies—and you can do it all at the same time.”

“You really have to adapt to each client’s business-process flows, technical requirements, and operational and economic needs in order to help them.”

Consultative Conversations

3Delta Systems boasts a suite of secure, scalable, fully hosted Internet-based payment products and services designed to provide Level 3 line-item detail, such as CardVault, EC-Batch, EC-Linx, EC-Pay, and ECZone. But Bills and his colleagues often find themselves educating their sometimes-confused clients before they can talk solutions. --Aaron Bills “Many people still don’t understand interchange and how it works,” says Bills, who describes 3Delta Systems as a “payment system service provider…with p-card [purchasing card] being the tender type that we’ve focused on to this point. “The single biggest impediment to [our] growth isn’t price or technology—it’s lack of education. If people don’t know to ask a question, it’s hard to get them to engage.” Rather than starting out with a sales pitch, the 3Delta Systems team educates and engages potential clients through open dialogue. Typically, such conversations begin with the potential

28 November 2010 | Transaction trends

client asking about p-card processing and end with the client talking about “additional problems they hadn’t thought of, or at least articulated. For instance, they may realize that they’re having problems with back-office reconciliation.” Those consultative conversations also help Bills and his colleagues gauge a potential client’s level of sophistication.“So if we need to drop back a bit and bring them up to speed, we’ll do that,” he says,“but if they’re already pretty savvy and aware, we can dial up the conversation to match their needs.We always try to talk to the client at their level, in their language, in terms that are relevant to them,” he adds.

Client Focus Educating and engaging the client, as well as showing empathy, are especially important in the business-to-business and business-to-government space, because “you’re trying to help each client solve specific business and process issues—which may not be the same issues that another client is trying to solve.You really have to adapt to each client’s business-process flows, technical requirements, and operational and economic needs in order to help them.” Bills considers the every-client-is-unique approach used by the 3Delta Systems crew to be “quite a bit different from the one used by most people in this space. Most people [tell a potential client],‘Here’s my rate. Here’s my terminal.’ You can’t really take that conversation anywhere.” Although cost eventually comes up in the conversations, Bills says it’s “way down the list. They’re still cognizant of cost, of course, but because we engage them in trying to find different ways to do business, we have a lot more wiggle room and a lot less price pressure—as long as we deliver good ROI.” That allows the 3Delta Systems team to focus on the company’s founding mission.“This company was created back in 1998 specifically to service the B2B and B2G market space, with p-card being the leading payment method in that space,” he reiterates.“It’s why we were created. “The idea of moving rich information and payments together, simultaneously, is not new to us,” he adds.“It’s not an afterthought. It’s not a bolt-on.The fusion of information and payment moving together is what 3Delta Systems is all about.” TT Bryan Ochalla is a contributing writer for Transaction Trends. Reach him at bochalla@yahoo.com.

GET THE REAL STORY. REAL REPS. REAL SUCCESS.

What makes you good sales agents? Having the same regard for each customer, no matter how big or small. Why do merchants choose you? We always put ourselves in their shoes. We know what it’s like to get the runaround and our service is always up-front. What’s your aspiration? To build long-term financial security for our kids. And to enjoy some of the finer things today, by earning well above the average. Chris, what’s your inspiration? I grew up relatively poor compared to many of my friends in high school. I think seeing their much nicer homes and nice vacations, etc. definitely made an impression. Monica, how do you maintain your work/life balance? I leave work at the office and the computer off at home, otherwise I get sucked into the email trap! What were your residuals before the TMS Free Terminal Placement Program? Average. Residuals now? Way above average! What’s the best decision you ever made? Joining Total Merchant Services as sales partners. What’s your greatest accomplishment? Our family. Your perfect weekend? Being with the kids at the beach.

Chris and Monica Collins Business Credo: Give a lot to get a little.

Start writing your success story today! Join the team with a proven track record. Check out Total Merchant Services program details at www.upfrontandresiduals.com or call us toll-free at 1-888-84-TOTAL ext. 9411 Total Merchant Services (TMS) is a Member Service Provider for: HSBC Bank USA, National Association, Buffalo, NY.