Credit Card Merchant Accounts for Collections – Beware!

By Stephen Price

Stephen Price - General Partner E-Complish/Regal Technologies




As you may or may not be aware a major player in the collection industry is no longer processing for some 2200+ collection agencies. This has caused many good companies to suddenly lose their credit card processing privileges.

So why is this happening?

The short answer is because credit card rules state that you cannot replace a debt with a debt. Meaning you cannot use a credit card to pay towards written-off or purchased debt. Unless you are collecting on early-out (pre-charge-off 30-90 day old accounts), you should not have the ability to process credit cards at all. Many in the collection industry have forgotten this and now “expect” to get a credit card merchant account. This “forget-fullness” is the source of the issue and why some 2200+ agencies have been scrambling to get a new merchant account. Collection agencies have been specifically targeted because either they have been found to be collecting on written-off or purchased debt, their SIC Code shows that they are in the Collections Industry, or they simply have the word “Collection” in their name.

So why all of the sudden?

It seems that Global Payments (a major credit card platform) has been specifically targeted by Visa. Without going into details, almost all of the 2200+ collection agencies were on the Global Payments platform. This sends a strong message to beware of Global Payments if you are doing collections with them today.


 1. Get Into Compliance

If you are collecting on Charged-Off, Written-Off or Purchased Debt of any kind, you should not be processing credit card transactions at all. No ifs, ands or buts here. It is a matter of time before you lose your credit card processing privileges.

2. Start Accepting Debit Cards Only

If you are collecting on Charged-Off, Written-Off or Purchased Debt of any kind, start accepting *only* Debit Cards that are connected to a consumer’s bank account. Processing Debit Cards is fine as long as you can demonstrate that you are verifying that the card number given is truly a Debit Card. If you do not have a Debit Card verification process in-house then you will inevitably be processing credit cards even though the consumer/debtor is telling you that it is a Debit Card. Your credit card merchant account provider will see that you are processing credit cards (even if you do not realize it) and again you will inevitably lose your credit card privileges. You must have a process in place to determine and verify that a card number given is truly a Debit Card.

 3. Get a Second or Even a Third Merchant Account

We find that our customers do not realize that that they can have multiple credit card merchant accounts. When we setup accounts we always try to get the client to get a second and even a third credit card merchant account. The second or third merchant account should be with a different platform, (for example, First Data, Chase Paymentec, TSYS).

4. If You Have a Merchant Account and it is Going Through the Global Payments Platform, Start looking for a New Provider.

If your agency is using a merchant account that is part of the Global Payments platform, you should think about getting a backup merchant account as soon as possible so you are not another casualty.

We are interested to hear about anyone else’s experiences here. Please tell us your “horror story”…

RDC Giving New Life to Paper Checks (Drop Jaw Now)

Re-posted from BankInnovation.Net

May 24, 2013


Smartphone technology is disruptive to many areas of banking, and in the payments space, it has been said that mobile banking — particularly person-to-person payments and mobile wallet — will help spell the end of checks. In fact, the UK is set to sunset the paper check by 2018, and other countries have already made this move.

But if you live in the US, chances are you still write checks now and then — for rent, the soccer league, the plumber — and that’s not likely to change, said Gary Brand, director of source capture solutions for Fiserv.

RDC Giving New Life to Paper Checks (Drop Jaw Now)“RDC [remote deposit capture] is breathing new life into checks,” Brand said. “Being able to snap a picture, it’s taken a lot of the hassle out of checks. Business owners used to wait a week to go to the branch so they could deposit four to five days’ worth of checks. Now they’re depositing them as they come in, in real-time. The ability to deposit checks in a timely fashion is a powerful tool for businesses. Cash flow improves.”

It also saves banks money. While checks can cost $4.00 or more to process in branch, they are estimated to cost less than $1.00 via RDC.

And customers are saved a trip. “Saturday morning it’s a ghost town at the branch,” Brand said. “It used to be one of their busiest times.”

RDC has arrived for consumer accounts but is still not “table stakes” for business accounts, which often do not have mobile apps at all, Brand pointed out. “Even if RDC isn’t implemented for business accounts,” Brand said, “business owners, for convenience, will deposit checks into their personal accounts.” He added, “FIs are challenged with regard to value-added services to small businesses. There are plenty of new services businesses are looking that [FIs] can charge for.”

Retail environments that take in a great number of checks may not be the ideal market for mobile RDC, however. Brand said, “This is a the lifeline for small check scanners.”

With mobile RDC and payment dongles such as Square, the smartphone is a full-featured point of sale for businesses. (For cash, businesses will need something else, like PayNearMe.)

Christine Barry, research director at Aite Group, believes that RDC does not deserve all the credit for preserving checks. She told Bank Innovation, “Businesses and their processes are still heavily reliant on paper. More than 50% of payments still come in via check.”

This number is declining, but RDC remains important. An Aite Group survey from Q4 2012 found that 55% of U.S. banks believe that even as check volumes decline, it will not reduce the value of of check scanners among their customers.

Check scanning “makes the check a viable payment tool,” Brand said. “It looks like it’s going to be around quite a bit longer than we thought.”

Paper, Plastic or Mobile? FTC Urges Protection for Mobile Payments

With the use of mobile payments as a way for consumers to pay for goods and services expected to increase at a “fever pitch,” companies working in this sector should develop products and services with financial, security and privacy protections in mind, said the Federal Trade Commission in a special report.

Paper, Plastic or Mobile?“While mobile payments offer many potential benefits to consumers, they also raise consumer protection concerns,” says the report “Paper, Plastic … or Mobile?” which grew out of an April 2012 FTC workshop on the topic.

The report, issued Friday, says workshop panelists identified privacy, data security, and dispute resolution as the three primary areas where concerns are likely to arise with the use of mobile payments.


In the privacy area, for instance, the report says the use of mobile payments “raises significant privacy concerns, due to both the high number of companies involved in the mobile payments ecosystem and the large amount of data being collected.

“In addition to the banks, merchants and payment card networks present in traditional payment systems, mobile payments often involve new actors such as operating system manufacturers, hardware manufacturers, mobile phone carriers, application developers, and coupon and loyalty program administrators,” says the report.

“When a consumer makes a mobile payment, any or all of these parties may have access to more detailed data about a consumer and the consumer’s purchasing habits as compared to data collected when making a traditional payment,” the report says.

The report focuses on three main issues: resolving disputes that arise from a fraudulent or unauthorized charge, securing data throughout the payment process, and protecting consumer privacy.

Of the three, the FTC seems most heavily focused on concerns about fraudulent payments, especially a practice called “cramming.” Cramming occurs when third parties place unauthorized charges onto consumers’ mobile-phone bills.

To counter such fraud, the report recommends that mobile telecommunications carriers give consumers the ability to block all third-party charges on their accounts, including ones that could be used by minors. Additionally, the report says consumers should be informed that such charges could be placed on their accounts and that a “clear and consistent” process be established for them to dispute suspicious charges.

Patricia Poss, chief of the mobile technology unit in the Financial Practices Division of the FTC’s Bureau of Consumer Protection, says the FTC plans to look at more closely at cramming. “We’ve gotten a lot of input in other areas, but this is one area where we felt a need to explore further,” she tells Digital Transactions News. The FTC will sponsor a roundtable dealing with mobile cramming May 8.

In another matter related to resolving transaction disputes, the FTC report points out that while mobile payments secured by bank-issued credit and debit cards have consumer liability caps, other funding mechanisms often do not offer the same protections. Those mechanisms include pre-funded accounts or prepaid cards. Only three of seven companies that allow funding from stored-value cards limit customer liability on unauthorized charges, according to the report.

The FTC wants carriers to develop “clear policies” on such protections and convey them to consumers. The report also notes that policymakers need to “consider the benefits of providing consistent protections” across payment products.

In looking at data protection, the reports says most mobile-payment technologies provide end-to-end data encryption, but it recommends greater use of dynamic data authentication, where a unique set of payment information is generated for each transaction.

Regarding privacy, the FTC report raises concerns that new partners in payments programs beyond banks, merchants and processors could have access to consumer financial data. The FTC recommends companies adopt privacy practices while allowing customers to be able to restrict disclosure of information, and that the provider disclose clearly to consumers how payment data are used.

Poss says all the suggestions in the report are “recommendations or takeaways” and not official guidelines or regulations. As to whether regulations would be implemented should the industry fail to heed the recommendations, Poss only says: “We’re not there yet. We’re still analyzing the potential for problems with mobile payments and the issues associated with these programs.”

Since mobile payments are still in their infancy, the FTC has not seen much evidence yet of actual problems associated with the issues it raises in the report, but it is looking at the potential for problems as programs pick up steam, she says.

PCI Council Releases Mobile-Acceptance Guidelines

The PCI Security Standards Council on Thursday released yet another set of data-protection guidelines for mobile payments, this one aimed at merchants using smart phones and tablet computers to accept credit and debit cards. Although it touches on many points, the guidance especially focuses on the software running on the devices.

PCI Council Releases Mobile-Acceptance GuidanceIn issuing the guidance, however, the PCI Council gave no indication about if or when it would actually begin certifying the card-accepting software applications developed by technology companies and merchant processors for mobile devices as compliant with the Payment Application data-security standard (PA-DSS). The Wakefield, Mass.-based Council administers that standard, along with the main Payment Card Industry data-security standard (PCI) and another standard governing PIN-entry devices known as the PIN Transaction Security (PTS) requirements. Payments executives have been expecting that mobile-application certifications would resume after the Council froze them in November 2010, but the Council instead has opted for issuing guidance as mobile payments rapidly evolve.

The lack of software certifications leaves mobile-payments providers in somewhat of a security limbo because PCI and its two related standards govern everything else in card payments. Merchants and processors are supposed to meet the main PCI standard, the software applications they use for point-of-sale and online payments are supposed to meet the PA-DSS, and card-accepting terminals and related hardware are supposed to comply with PTS.

But mobile payments are a different animal. In contrast with the purpose-built POS terminals and software most merchants use, mobile merchants very often accept cards by using iPhones, Android smart phones, and tablet computers that weren’t built with payments in mind. But millions of small businesses and even individuals served by everyone from hot startups such as Square Inc. to Intuit Inc. and Groupon Inc. to various independent sales organizations now use their smart phones or iPads to take card payments, often with magnetic-stripe readers that plug into the device’s audio jack. The new guidelines acknowledge that difference.

“As these devices are not solely used as point-of-sale tools but also to carry out other functions, they introduce new security risks,” the Council said in a news release. “By design, almost any mobile application could access account data stored in or passing through the mobile device.”

Later in the release, chief technology officer Troy Leach said: “Currently, it is challenging to demonstrate a high level of confidence in the security of sensitive financial data in devices that were designed for other consumer purposes, which is why we encourage merchants to consider encrypting cardholder data securely prior to using mobile devices to process transactions.”

The Council did not respond to Digital Transactions News’ requests for comment. The release is vague about what the Council’s next move will be. “In 2013 the Council will continue to collaborate with industry subject-matter experts and other standards bodies to explore how card data security can be addressed in an evolving mobile-acceptance environment, and whether additional guidance or requirements must be developed,” it says.

The 27-page document, dubbed “PCI Mobile Payment Acceptance Security Guidelines for Merchants as End-Users,” strikes Bruce Shirey, senior vice president of business development at Houston-based merchant processor eProcessing Network, as providing “common-sense stuff” addressing data encryption and other security topics familiar in the merchant-acquiring industry.

The guidelines specifically cover payment card account data entering the mobile device, account data residing in the device, and data leaving the device. The paper also provides recommendations for merchants regarding the physical and logical security of card-accepting mobile devices in addition to guidance for hardware, software, the use of a payment-acceptance solution, and customer relationships.

The new document follows the guidelines the Council released last September for mobile-app developers. Earlier in 2012 the Council issued a brief “fact sheet” for merchants using smart phones to accept cards.

Shirey speculates that the Council’s hold on mobile-software certifications may be the result of difficulty in keeping up with the industry’s rapid technological evolution. “The apps are coming out so fast,” he says. “I think it snuck up on them and they weren’t prepared for it.”

On the Rise, Mobile Bill Pay Could Spur More E-Bill Presentment, Card Usage

U.S. consumers are rapidly turning to mobile devices to pay bills, and that trend in turn is likely to encourage more card usage for bill payment and more electronic bill presentment, according to a study released this week.

On the Rise, Mobile Bill Pay Could Spur More E-Bill Presentment, Card UsageSome 8% of households with an Internet connection paid at least one bill with a mobile device last year, up from 6% in 2011, according to the “Billing Household Survey,” sponsored by Fiserv Inc. While still a relatively small number, the 33% increase is significant, says Eric Leiserson, senior research analyst at Fiserv. Saving time appears to be the biggest reason for using mobile for bill payment, with 50% of users citing this reason in the survey. Moreover, the smart phone is turning out to be the dominant device for mobile bill payment, with 12% of users paying bills with the device, up 41% from 2011. “That’s where the traction is,” notes Leiserson.

Tablet usage, too, is on the rise. Tablet ownership in the survey, which is the fifth annual study Fiserv has conducted, rose to 41% of respondents from 19% in 2011. Of the tablet owners, one-fifth had received from or paid a bill at a bank bill-pay site. Almost as many–19%–had paid a bill at a biller site.

By contrast, feature-phone usage appears to be losing prominence for bill payment. Nearly two-thirds of bill payers who used a mobile device relied on their browser, while another 18% used apps. Only 13% used text messages, and that number represented a decline. “Text-to-pay has actually dropped off compared to the mobile browser,” Leiserson says.

Whether by smart phone or feature phone, the rise of mobile bill payment could have significant implications for card payments and e-bills, according to Leiserson. It could also open up non-Internet households for the first time to electronic bill payments, Leiserson says. “That’s going to be something special,” he says. “[These households] now can be connected to the Internet in their pocket. It opens up to billers new incremental electronic transactions.”

At the same time, the ability for billers and financial institutions to send alerts to customers’ mobile phones could encourage more acceptance e-bills. So-called electronic bill presentment, in which consumers receive bills via e-mail rather than through the mail, has struggled over the years to win consumer adoption. Major efforts such as the Electronic Billing Information Delivery Service (EBIDS) from NACHA, the regulatory body for the automated clearing house, have tried to solve this issue by combining secure electronic bill payment with bill delivery.

But now, with more consumers carrying mobile devices and using them to pay bills, mobile alerts about bills that are nearly overdue could spur users to retrieve the bill or sign up e-bill presentment to avoid late charges, Leiserson reasons. In Fiserv’s survey, some 71% of consumers indicated receiving a bill-due alert would raise the odds they would sign up for e-bill presentment. “It’s a reminder to pay that’s actionable wherever you are,” he notes, adding that such alerts could be a “game-changer” for e-bills.

Mobile could also lead to more credit and debit card usage to pay bills, as well, since most on-the-go consumers aren’t likely to have a checkbook or checking-account details with them when they pay. “Now that we’re in the mobile age, how are people going to pay for things if they don’t carry a checkbook around?” Leiserson asks. Some 55% of consumers either don’t carry a checkbook or seldom do, according to the survey. Leiserson says such consumers are likely to use a card for bill payments. “It puts the credit card front and center,” he says.

Fiserv conducted the survey in May of last year. Some 1,600 respondents completed an online questionnaire, while another 400 were surveyed by phone.

NACHA Issues Final Guidelines on QR Codes in Bill Payments

The guidelines, developed in collaboration with CEBP members and refined through industry input, describe the use of QR codes in a variety of bill payment functions such as viewing bills, making bill payments, enrolling for eBills and setting up payees in online banking.

NACHA Issues Final Guidelines on QR Codes in Bill PaymentSpecifically, the QR Encoding for Consumer Bill Pay Guidelines identify voluntary standards for using QR codes in both biller direct and consolidator/aggregator billing and payment models. It contains recommendations regarding QR code size, data to be included in the QR code, and layout of the data represented in the QR code, among others. The goal of the guideines is to establish a single QR code format that can be printed on a paper bill and scanned by the consumer’s mobile phone using a biller, mobile banking or generic QR code reader. In this way, billers and service providers can enable QR encoding in a standardized format, providing certainty for biller and banking clients, and ensuring a consistent experience for consumers.

“With the help of the industry, the CEBP has been able to develop a clear, implementable standard for the use of QR codes in consumer bill payment,” said Chris Huppert, Senior Vice President of Wells Fargo and chair of the CEBP. “It is our hope that these standards will help encourage QR code use for bill pay, and ultimately provide an easy option for check writers to view and pay bills electronically.”

“We see QR codes as a bridge to help our biller customers move their consumers from paper to electronic adoption,” said Rich Langan, Senior Product Manager with DST Output, a customer communications provider and CEBP member that helped spearhead the Guidelines development effort. “With diverse participation from key industry verticals, the CEBP serves as a great venue for these types of standards efforts.”

The CEBP intends to organize a test for early adopters in 2013 with billers, biller service providers, financial institutions, paymenteent providers and others to help kick start use of the Guidelines. The purpose of the test is to verify the specification and to help develop market participants. Organizations interested in participating in the QR code test should contact Robert Unger, Senior Director, eBilling and Payments, NACHA at (703) 561-3913 or by March 1, 2013.

Are Credit Card ‘Checkout Fees’ Coming to a Store Near You?

Consumer Action educates shoppers on their rights when retailers impose credit card surcharges

Contact: Linda Sherry, Consumer Action, 415-777-9648 | Trish Wexler, Electronic Payments Coalition, 202-288-1238

Caution High Fees AheadWashington, DC – Consumer Action today releases a brief guide to help consumers understand new and potentially higher costs when they use a credit card at some retailers. As a result of a settlement between retailers (online and offline) and the payments industry, consumers soon may begin seeing retailer surcharges, or “checkout fees,” when using their credit cards at brick-and-mortar stores or online merchants. Consumer Action has published an online guide that explains consumer rights and retailer responsibilities, available on its Know Your Card website.

The settlement, reached in July between retailers, nine major banks, Visa and MasterCard, gives retailers the option to pass credit card acceptance costs on to consumers through checkout fees. The preliminary settlement was signed on Nov. 9, making the settlement terms effective in late January 2013.

“Over the last couple of years, there have been a lot of changes for consumers at the register. A year ago, the Durbin amendment was implemented, which decreased the cost that retailers pay to accept debit cards, allowing them to pass on savings to consumers if they choose. Now consumers may face credit card ‘checkout fees,’ or surcharges, at the register,” said Linda Sherry, Consumer Action’s director of national priorities. “One of our goals is to make sure consumers know their rights when these changes occur, and have enough information to be smart shoppers.”

The Know Your Card website includes Consumer Action’s new guide containing information about the states where it is illegal to apply surcharges, disclosures that retailers are required to provide and steps that consumers can take to avoid checkout fees altogether. The guide, Checkout Fees: Consumer rights and retailer responsibilities, includes the following:

  • Checkout fees are permitted only on credit and charge cards, NOT on debit cards.
  • Checkout fees remain illegal in ten states (full list in guide).
  • Retailers must limit fees to what they pay to accept the card. In the U.S., that is typically between 1.5% and 3% of the total purchase.
  • Retailers must provide “clear disclosure” (such as signage) of any checkout fees.
  • The disclosure on the receipt must list the amount of the checkout fee, the fact that the retailer is imposing the charge and that the fee is not greater than what it costs the retailer to accept credit and charge cards.
  • Checkout fees can vary for different kinds of cards (such as rewards cards or premier cards), so be sure to ask your retailer in advance if different surcharges apply and choose your payment card accordingly.

Additionally, the guide highlights steps that consumers can take to prepare for and manage the costs of checkout fees. Some steps are as simple as shopping around for retailers that don’t charge checkout fees or requesting discounts for alternative forms of payment. Checkout Fees: Consumer rights and retailer responsibilities was produced in partnership with the Electronic Payments Coalition (EPC), which includes credit unions, community banks, and payment card networks. See “About Electronic Payments Coalition (EPC)” below.

About Consumer Action

Consumer Action, a San Francisco-based national education and advocacy organization with offices in Los Angeles and Washington, D.C., has been a champion of underrepresented consumers nationwide since 1971. A non-profit 501(c)3 organization, Consumer Action focuses on financial education that empowers low- and moderate-income and limited-English-speaking consumers to financially prosper. It delivers its multilingual educational programs and materials through a unique nationwide network of 7,500 community-based organizations and on the organization’s website (

About Electronic Payments Coalition (EPC)

The EPC includes credit unions, community banks, and payment card networks that move electronic payments quickly and securely between millions of merchants and millions of consumers across the globe. EPC’s goal is to protect the value, innovation, convenience and competition in today’s growing electronic payments system. EPC educates policymakers, consumers, and the media on the system’s role in economic growth, and the importance of protecting consumer choice and stability for the continued growth of global commerce.


 Reposted from the Electronic Transactions Association:

The smartphone is an integral part of our culture that has revolutionized the way we communicate, share and engage with each other. The next wave of technology will revolutionize the way we engage with retailers, shop, handle our personal finances, carry our drivers license and credit cards and much more.

Here’s how the digital wallet can help you this Holiday Season:

Convenience. The average American holds at least three credit cards in their wallet, not to mention countless discount cards and receipts attained from choice retailers. Pretty quickly the traditional wallet can become a bloated mess. Enter the digital wallet – a streamlined, efficient way to carry all of your account information and discount codes – simply tap or scan your phone to complete a transaction.
Security. Digital wallets are secure because, unlike a plastic credit card, your personal credit information never has to leave your hands. Even if your phone is lost or stolen, access can be passcode blocked and one phone call can totally disable your wallet, easing the hassle of calling each credit card company. Digital wallet providers are using enhanced security measures that can be even more secure than traditional wallets.
Personalized Shopping Experience. Retailers can customize offers and give you the best deals where you are, and when you need them. For example, a downloaded Starbucks app can identify you when you are near the coffee shop and offer a discount on your next latte. The digital wallet also holds boarding passes, loyalty cards, and discount vouchers for extra discounts and convenience.
Social Networking. Engage in ‘social commerce’ by turning the products you buy into real-life conversations. The digital wallet allows you to share with friends what you’re buying, where you’re buying it, and the deals you’re getting. Also, this year rather than wondering what to buy that hard to shop for person, make holiday shopping a no-brainer by viewing the products they like on Pinterest or other social media platforms.
Eliminates the need for the hassles of traditional banking. The digital wallet allows busy people to handle banking transaction right on their smartphones. No longer a need for deposit slips or checks, the digital wallet makes it easy to immediately transfer balances, deposit checks, pay bills and much more all at a time and place that’s convenient to you.

Mobile Payments Hit $20 Billion in 2012

Mobile Payments Hit $20 Billion in 2012A new report by Javelin Strategy and Research reveals that consumers spent more than $20.7 billion shopping using mobile devices, with around $5 billion of that spent using tablets, in the last year. Mobile shopping is continuing to grow at a rapid pace with the number of people owning tablet devices set to double in the next three years.

“With large-screen real estate and mobile capabilities, tablets are the ideal channel to transform PC-based online shoppers into mobile shoppers,” said Mary Monahan, Executive Vice President and Research Director, Mobile at Javelin. “Increasingly, mobile devices like tablets are being used as shopping tools but the mobile buying experience is not keeping pace with consumer activity.”

Javelin’s research revealed that on average consumers spend $10 more per purchase using a tablet compared to a mobile device. The Mobile Payments Hit $20 Billion in 2012 report is based on three online surveys of mobile phone owners and a survey of mobile device owners, and also includes case studies of mobile offerings from American Express and Amazon.

Seven Steps to Picking a Payment Processor

Seven Steps to Picking a Payment ProcessorCollection and Law Firms working in a competitive field today are faced with various challenges and must follow many rules and regulations such as FDCPA, TCPA and HIPAA to mention a few. Payment processing should not be a “road block” to running your business; rather it should be an easy and fast method for consumers to make payments on a safe and secure platform without the additional hassles of yet more regulation. Today’s firms need to offer as many payment options as possible while insuring payment encryption and privacy to meet the needs that consumers are demanding.  So, now what? How do you find a good payment processor?  We recommend the following steps:



If you are processing credit or debit cards, you should make sure that the payment processing firm is Level 1 PCI compliant. Level 1 means they are listed on the Visa/MasterCard list of approved Third Party Payment Processors (TPP) and are processing more than 6 Million transactions annually. Be warned, when asked, many payment processors will send you a scan report of their systems. This is a common ploy. Ask specifically for their Attestation of Compliance (AOC) certificate which proves their PCI Compliance and then verify that it is Level 1 (1 is the highest of 4 levels).


Some collection firms are required to process only debit cards and not credit cards. Make sure the payment processor can not only distinguish between debit and credit cards but also processes debit cards only.


If processing ACH transactions, make sure the payment processing software will ensure NACHA Rules compliance to protect you from unintentionally breaking a NACHA rule.


Make sure the payment processor understands your industry. They should be an active member with the ACA, NACHA, DBA and the BBB.


Verify that payment processor has load balancing servers and redundant data centers in place to handle high load and provide data center redundancy.


Determine the level of support that is provided by the payment processor. Confirm that they have a secure portal and online chat system to communicate technical issues and answer general questions.


Finally, confirm what type of training (if any) the payment processor will provide on a regular basis? You should expect to have, at the very minimum, proper documentation, a FAQ knowledge base, and live online training with a professional payment trainer. Optimally, look for a payment processor that has ongoing/continuous online classes. This will help keep new employees trained and keep you out of a bind if a key person suddenly quits or is out for an extended period of time.

NACHA’s Answer to P2P Mobile Payments?

Reposted from Digital Transactions

In an effort to bring some order to the Wild West of person-to-person payments over the automated clearing house network, ACH governing body NACHA-The Electronic Payments Association is proposing a new credit version of its WEB code for online bill payments that would include standardized formatting for the transactions.

NACHA's Answer to P2P Mobile Payments?Herndon, Va.-based NACHA is taking comments from the financial community about its proposal until Oct. 1. It issued the proposal Aug. 15. Plans call for a new rule implementing the proposal to take effect March 21, 2014.

NACHA has numerous standard entry class (SEC) codes for the various types of ACH payments, but none specifically addresses person-to-person payments, according to Mike Herd, managing director of ACH network rules. Banks, processors, and tech startups, however, are increasingly promoting P2P payments as online-banking programs and specialized software make paying other people using personal computers or mobile devices ever easier. “It looks like the adoption of that is happening, and it seems like the appropriate time to go out and make some rules,” Herd tells Digital Transactions News.

NACHA knows a number of P2P transactions already are flowing through its network, but Herd says the actual volume can’t be easily discerned. Such transactions typically use bill-pay codes, and if a third-party processor is involved, as is frequently the case, one payment may be split into two transactions, one debiting funds from the sender’s account and the second crediting them to the recipient’s account.

A standard entry class code specifically designed for P2P payments would give NACHA a better read on volume and enable it to set formatting standards so that originating depository financial institutions (ODFIs) and receiving depository financial institutions (RDFIs) can easily send and receive the items, according to Herd. To do that ,NACHA considered several alternatives, including the creation of an entirely new SEC code. That idea didn’t fly.

“As a general matter over the years, the trend for proposals that we make and have gotten feedback is that a new SEC code [is] the most expensive in terms of system implementation and cost,” says Herd.

Thus, NACHA set about determining which of its existing codes could be adapted for P2P. The two main candidates were CIE, for customer-initiated entry, and WEB, a fast-growing code for Internet bill payments and mobile ACH payments. CIE is a credit transaction in which the originator directs his bank to “push” funds to another party. WEB is a debit transaction in which the originator requests funds from an account but does not have confirmation that the money actually is there.

A CIE transaction, while slightly less risky than a WEB one, has some drawbacks for P2P payments, however. “It’s really designed around paying a bill … and giving information about the consumer’s account with the biller,” says Herd.

Instead, NACHA decided to modify WEB for P2P payments by introducing a credit version of the code. A WEB credit would enable financial institutions to easily identify, process, and track statistical data, according to NACHA’s executive summary of the plan. Processors already use WEB debits to fund P2P transactions under the split-payment model, so service providers could batch WEB credit and debits together for processing, NACHA says.

One issue in adapting WEB for P2P was changing criteria governing who can originate a transaction. With WEB debits, the originator typically is a company that has an agreement with a financial institution, and transactions have a number of risk-control features. But that system would be cumbersome for consumers who want to send a payment to another person. “Consumers today are not excluded from originating WEB debits, but they would have to be appropriately vetted, be treated like any other originator,” says Herd.

Instead, with senders and receivers of WEB credits being individuals, NACHA will not require authorization by the payment receiver, and there will be no warranty for such authorizations made by ODFIs.

Formatting standardization, meanwhile, will involve a number of elements regarding data and its presentation in the transaction message. “Standardization of the way the network works for P2P credits would lead to greater adoption,” says Herd.

Standardized formatting also will help recipients ascertain the sender of the funds, as required under Regulation E to the federal Electronic Fund Transfer Act. “When transactions are clearly identified, banks tend to get few customer-service calls,” says Herd, adding that clear IDs also will prevent some return ACH transactions.

A related aspect in the proposal would add an optional addenda record in the transaction, an electronic equivalent of the memo line on a paper check, which could carry further documentation in plain text or even a URL link to a Web site with added documentation.

The P2P rules effort stems from a process that started back in 2009 when NACHA requested comments about how to handle ACH payments from mobile devices and ultimately settled on WEB.

Same Day ACH Voted Down but Still Has Life…

Reposted Digital Transactions

A proposal to change the rules of the automated clearing house network to allow faster clearing times, which last Friday fell short of the votes needed to be enacted, is likely to be resurrected in some form, experts polled by Digital Transactions say. “I don’t think it’s dead, but it’s probably dead for another year or two,” notes Nancy Atkinson, a senior analyst at Aite Group LLC who follows the ACH. “It can’t be brought up again this year. You have to move on.”

But any new effort behind the proposal could face entrenched opposition from the nation’s largest banks.

Same Day ACH Voted Down, but Still has Life...The proposal, which would have moved up clearing and settlement times for both credits and debits on the ACH from next day to same day, is necessary for the ACH to remain a competitive payments network, these observers say. Consumer expectations, particularly with the advent of mobile payments, increasingly lean toward near-immediate effect for payments, they say. And some similar systems overseas, including the Faster Payments initiative in the U.K., already offer same-day funds availability.

The proposed rule change was drafted by NACHA, the Herndon, Va.-based organization that oversees the ACH on behalf of banks. NACHA had worked on the measure, which it called Expedited Processing and Settlement (EPS), for about two years. Now, some observers expect the organization to revive the effort. They point to the fact that, while the EPS proposal failed, it won a majority of yes votes from members. It didn’t win enough votes, however, to exceed the 75% level necessary to effect a rules change.

“I don’t see how NACHA can let this linger for too long,” says David T. Bellinger, director for payments at the Association for Financial Professionals, a Bethesda, Md.-based trade group that represents corporate finance officers. The AFP had favored the proposed change. “Banks need to think about staying competitive. Whatever the issues were that were holding them back, they need to work through that. I can’t see the future, but that is a risk for them,” Bellinger says.

NACHA may be thinking along the same lines. In a statement it sent to Digital Transactions News on Monday regarding the vote, it said, in part: “NACHA will continue to explore solutions for faster processing and settlement. In balloting EPS, NACHA was responsive to industry requests for faster processing and settlement, and we will continue to be supportive of user needs.”

In the balloting, the country’s largest banks opposed the measure, while the more numerous regional and smaller institutions were split. Larger institutions don’t see enough revenue potential in same-day service to compensate for the costs the service would create, says Bob Meara, a senior analyst at Celent LLC. Banks that may have thought about charging premium pricing for the service may have been stymied by fierce merchant opposition to increased pricing for other forms of electronic payment, including card interchange. “Why would you be quick to do this” if you can’t charge premium prices for it, Meara asks.

Some banks also feared the service could cannibalize their more lucrative wire-transfer business. While wires are typically used for large transfers, such as down payments on homes, Atkinson says banks want to preserve wires as an exclusive option when immediate payments are necessary. “As long as they can’t do same-day ACH, they can convert [the transaction] to a wire transfer if it has to be same day and make more money off it,” she says. Expected increases in the cost of wires, though, will likely cause businesses to put more pressure on banks to support same-day ACH, she cautions.

Ultimately, the federal government may have to step in to make same-day ACH a reality, these observers say. “I wouldn’t be surprised to see the [Federal Reserve] put something forward if banks don’t take action,” says Bellinger. The Fed has a similar service, which it introduced two years ago, but it applies only to certain ACH debits and leaves bank participation voluntary.

Atkinson would like to see the payments industry create an electronic transfer service combining ACH and wire. “That will take government backing to some extent,” she observes. “The government has to take a stand or it doesn’t happen.”

Taking Credit Cards in Your Call Center? Better Read This…

PCI Guru

A big thank you to a reader for suggesting this post with a post to my Miscellaneous Questions page with a number of questions related to call centers.

Based on their questions, the first clarification that needs to be made is in regards to pre-authorization data.

In a call center environment where operators are taking orders over the phone and accepting credit/debit cards for payment, until the card transaction is either approved or declined, we are talking pre-authorization data.

Only cardholder data after authorization or decline (also known as post-authorization data) is covered by the PCI DSS.

However, as I have noted before, the card brands expect pre-authorization data to be protected with the same voracity as post-authorization data.  The PCI DSS can provide organizations with a guideline on how to protect pre-authorization data, but pre-authorization is not in-scope for PCI compliance.

That said, just because it is not in-scope for PCI compliance; do not think a QSA is not going to consider it.  Any good QSA should review the pre-authorization process and identify any issues that might be present that could result in the compromise of pre-authorization data.

Taking Credit Cards in Your Call Center? Better Read This...Do we need a ‘clean room?’

From a PCI compliance perspective, the answer is ‘no’, although there are a number of PCI requirements that would lead you to restrict what is in the actual call center.  However, best practice is to operate any call center handling potentially sensitive data in a ‘sterile’ environment.

That means clean desks, no personal items at the workstation, no paper and pens for writing things down, locked down workstations and other restrictions so that sensitive information is not leaked from the call center.

The idea for creating a sterile environment by banning cell phones and giving personnel lockers to secure their personal items is in line with what we see in call centers.  In addition, I think most call center organizations find that their clients require such approaches to ensure that their customers’ privacy and security is maintained.

In addition to all of the physical security, call center personnel need to be trained regarding security and privacy.  Call center personnel need to sign an agreement that says they acknowledge that they will be in contact with cardholder data and that the cardholder data is to be protected in compliance with the PCI DSS and other regulatory and legal requirements.

Is it necessary to segregate our team responsible for taking credit card information?

The PCI DSS does not require credit card handling call center personnel to be segregated from other cal center personnel.  But again, best practice would be to put your credit card handling team together for a variety of other reasons.

Another best practice is to segregate call center teams that handle sensitive data from personnel that do not handle sensitive data.

The PCI standard 3.3 is not very clear on the subject in my opinion…  however, parts of the standard seem to me very unclear

The first thing people responsible for call centers should do is read the PCI SSC’s FAQ (#5362) on call center recordings and PCI compliance.  The next thing they should do is read my postings on call center recordings.

Requirement 3.3 of the PCI DSS is very clear in my opinion.

Mask PAN when displayed (the first six and last four digits are the maximum number of digits to be displayed)

What I am sure is confusing are the caveats surrounding this requirement.  The first caveat states that personnel with a business need to know can have access to the full primary account number (PAN).  These personnel are typically accountants that work chargebacks and disputes, not call center personnel.

In a call center environment, the system may display the PAN for customer confirmation purposes.  However, once the PAN is submitted for authorization, the full PAN must no longer be available and must be masked to the first six digits and/or the last four digits.

The second caveat is that where legal or regulatory conditions apply, requirement 3.3 is superseded by any legal or regulatory conditions.  The best example of this is that United States’ federal law mandates the last four digits of the PAN be displayed on a POS receipt.  However, this second caveat should not impact any call center as they do not generate any documentation that would be regulated.

I know that there are system requirements

Another area where call centers can be at risk is the call center workstation.  The reason is that the workstation comes into contact with the cardholder data.  Depending on how the workstation is used and configured, will determine the level of security surrounding the workstation.

The big move in call centers today is to use virtual workstations either through Citrix, VMware or similar solutions.  In these situations, the workstation is just a display device.  The server creating the virtual desktops needs to be physically and/or logically segregated from other virtual servers.

The threat to a physical workstation in any environment is that a keyboard logger is installed to record everything typed into the physical workstation.  As a result, the physical workstation needs to have their system/event logs monitored and have anti-virus, anti-malware and critical file monitoring implemented.

Hopefully this answers a lot of the questions call centers have regarding PCI compliance.

Cross-posted from PCI Guru