What You Need to Know About PCI Compliance
For Scott Rubin, vice president of Chicago-based Double P Corporation, which owns 53 Auntie Anne’s locations, credit and debit card processing remains a nagging presence in day-to-day business.
“I get calls every week from processors,” he says. “Everyone can guarantee they will do better than my existing provider.”
The world of credit and debit card processing is a complex web of financial, legal, and security issues; one that leaves operators scratching their heads—and a large market of payment processing providers swooping in to provide help. But experts say that by understanding the needs of their business and working diligently to find an appropriate provider, operators can save both valuable dollars and aggravating headaches.
For starters, when shopping for a card processor, experts agree quick-serve operators should look beyond the initial low rate that’s promised upfront.
“You may have been promised a great rate for processing your card payments, let’s say 1.64 percent,” says Sanford Brown, chief sales officer for Heartland Payment Systems, based in Princeton, New Jersey. “But when you take a closer look, you are likely paying much more. Many processors quote a low rate just to make the initial sale and fail to point out that only a small percentage of the transactions actually qualify for that special rate.
“They don’t tell you that the remaining transactions—often the majority—will be charged at a fee that could be as much as double or triple that low rate. These extra charges add up significantly over time, stealing from your bottom line.”
It’s also crucial that operators examine the fees that may be added on top of the rate. These come in a variety of forms, such as annual fees, statement fees, monthly fees, batch fees, application fees, payment card industry (pci) compliance fees, and non-PCI compliance fees, to name a few. Experts say the processing provider should explain every fee to the operator’s satisfaction and show them how to read the billing statement.
“If no one is explaining those things to you, there’s something fishy going on,” says Darrah Brustein, a partner with Equitable Payments.
Furthermore, Double P’s Rubin says it’s essential to compare apples to apples. He recommends taking a past processing statement and having a potential provider explain what their fees and costs would have been for those same transactions.
In fact, Brent Alvord, president of Memphis, Tennessee–based Lenny’s Sub Shop, suggests having the companies do the dirty work. “Get your existing company to do an analysis on why a new competitor is not better than what they’re giving you,” he says. “We got an awesome deal because we went back to our existing processor and gave them an opportunity to do something different. This often is the best leverage with an existing provider.”
When considering a processor provider, Alvord says to carefully read the contract—and understand it. “Make sure you have an out or a limited term with a reasonable termination fee,” he says. Brustein adds that operators also should avoid automatic renewal clauses and know when the contract expires so they can revisit their options at the end of the contract.
Robert Livingstone, president of Ideal Cost, a national merchant-consulting firm based in West Palm Beach, Florida, also warns against companies that push a lease. “Many credit card processors try to lease a credit card machine worth $200 for a monthly rental fee of $50 per month for 36 months,” he says. “At the end of 36 months, the business will not even own the machine and will be asked to keep paying the rental fee or buy it out.” In dealing with credit and debit card processors, quick-serve operators should keep an eye out for warning signs that the company may not be all that it promises to be, says Rich Toland, senior vice president of Food Services, Travel & Entertainment, and Strategic Alliance Accounts for First Data Corporation. “If it sounds too good to be true, it probably is,” he says. “It’s more than just a rate. Things go beyond just the rate. What you need is a partner that can grow with you.”
Security is another key aspect to consider when choosing a card processor. “All merchants must now comply with PCI data security standards (dss) on an annual basis, which is a federal mandate as of July 1,” says Ed Dean, vice president of operations for Blue Square Resolutions. “The PCI DSS is a set of comprehensive requirements for enhancing payment data security. Failure to meet compliance standards can result in fines from credit card associations and banks, and even the loss of the ability to accept credit cards.”
Brown recommends asking the processing provider for verification that it is PCI compliant. He says compliant companies should be listed on Visa and Mastercard websites.
When it comes to the equipment side of card processing, Brown says operators should ask if the swipe mechanism in the terminal itself uses any advanced encryption technologies and what they are. Operators also need to secure their point-of-sale systems.
“For merchants with an e-commerce presence, accepting transactions over the Internet makes computers susceptible to viruses, worms, spyware, and other potential attacks,” Dean says. “At a minimum, to keep information safe, business owners need to set up their websites using encryption technology. The best form of security today is the implementation of tokenization, which replaces credit card data with random numbers and letters, making them useless to any potential thief.”
Because there are so many credit and debit processing companies in the marketplace, Rubin says it’s critical to thoroughly research every company. “I want to deal with a name I recognize and know that they are processing on a quality network,” Rubin says. “Look at the company’s website and see if there’s any meat to it; it could be fluff.”
Brustein says to always err on the side of caution.
“Ask as many questions as you can to make sure you’re not trapped in an agreement where you’re getting a raw deal,” she says.