Archive for March, 2006

Address Verification (AVS for short) is a service that verifies the cardholder’s billing address in order to combat fraud in mail order/telephone order transactions (see the merchant account glossary). AVS is required on all non-swiped Visa and MasterCard transactions.

How AVS works is simple, when a merchant key enters a credit card sale into their credit card terminal (or POS Software. Internet merchants will use a Payment Gateway) they will be prompted to enter the cardholder’s billing street address and zip code. This information is then sent to the processing bank and compared to what the card issuing bank has on file. A code representing which fields matched are returned to the merchant (see chart below) and the merchant then determines if they wish to proceed with the sale. If both fields match, it is usually assumed the customer is the cardholder and the transaction is safe. If neither match, the merchant has to decide if they want to proceed with the sale as it is assumed the customer is not the cardholder. If only one field matches, the merchant must also decide if they feel comfortable completing the sale. Most major online retailers will not allow a transaction to proceed unless a complete match is returned.

Here are the AVS codes you need to know:

X or Y – Both the numeric address and the Zip code match the card issuing bank’s database.

A – Address matches but the Zip code does not.

W or Z – Zip code matches but numeric address does not.

N – Neither the zip code or street address matches.

U – The issuing bank doesn’t support AVS.

G – An international credit card. AVS is not supported.

So what is the game? Well, there is a charge every time AVS is performed. It usually is about 5¢ per transaction. It’s a small cost for security and the cost itself isn’t an issue. How this fee is presented is an issue. For retail businesses this isn’t as important as very few sales will be keyed into their credit card terminal and the pricing is usally built into any surcharges that result from keying in the sale. But for mail order and Internet merchants this is often not the case.

Typically a sales agent will advertise their rates as a percentage rate and flat transaction fee. For example: 2.30% plus 30¢. There are other fees associated with merchant accounts but because these two fees tend to add up the greatest amounts, and also are the main differences between competitors, so the rest typically go unnoticed. It is unfortunately common for sales agents to separate AVS from their transaction fee when advertising to mail order and Internet merchants.

Why do they do this? Because by separating this fee they can claim their transaction fee is 5¢ lower then it really is. They often fail to tell their prospective mail order and Internet merchant that they must do AVS on every transaction or else be charged a significantly higher rate. When a merchant fails to do AVS on a non-swiped transaction, they are automatically charged the highest rates available from Visa and MasterCard. So, in an effort to make their offer look better, some sales agents put the merchant in a bad spot: either pay an extra 5¢ they never bargained for every time they process a transaction or get gouged by their processor. And the fact that these same sales agents lock their merchants into long term contract only makes the scam that much worse.

So, what do you do? It’s simple really. When shopping around for your merchant account be sure to ask if AVS is included. If not, find out how much it is and add it to your transaction fee to see what your real transaction fee is.

From CNet News

A popular software that retailers use to control debit-card transactions may inadvertently store sensitive customer information, including PIN codes, says Visa.

Two versions of cash-register software made by Fujitsu Transaction Solutions are under scrutiny, according to a warning Visa issued to the companies that process card transactions for some of the nation’s largest retailers. A Visa representative confirmed that the warning was sent.

Some of Fujitsu’s retail customers include Best Buy, Staples and OfficeMax, but it is not known which companies use the software Visa claims is flawed.

Visa’s warning, which was first reported by The Wall Street Journal on Friday, has raised eyebrows in the financial and retail sectors. The software was flagged at a time when thousands of debit-card holders across the country have reported unauthorized withdrawals from their accounts.

Bank of America, Washington Mutual and Citibank are among the financial institutions that have replaced more than 200,000 debit cards in the past two months and have told customers that thieves obtained vital debit-card information as a result of a security breach at a large merchant.

One commonality among the fraud victims, according to law enforcement and banking officials, is that most had shopped at one of Fujitsu’s clients: OfficeMax.

The office-supply retailer has said that it has found no indication that it suffered an illegal intrusion. Fujitsu, which did not return repeated phone calls from CNET News.com on Friday, denied that its software has had anything to do with any alleged security breach. A representative for the company told the Journal that customer data, such as PIN codes, could not be stored using just its software. Other software tools would have to be added.

Major credit-card companies have banned the storing of customer data and can fine merchants who do store such data. The fear is that customer information may be a sitting duck for hackers should it be left in a company’s computer system.

What may be more worrisome for consumers is that it’s not uncommon for merchants to accidentally stockpile their customers’ data, says Branden Williams, a principal consultant at computer-infrastructure firm VeriSign.

One of VeriSign’s offerings is that it will assess a company’s computer systems to ensure they meet security standards required by the big credit-card firms.

During his white-glove inspections, Williams said, he has often found software that would trap customer data, including PIN information, without the retailer’s knowledge. Big companies working with complex systems are more prone to such slipups he said.

“You could totally understand how they could forget to turn off some switch,” he said.

But Williams said there’s no reason for the problem to go unchecked. Not only are there companies like VeriSign that will monitor system security, but Visa also offers a list of software products proven not to store data.

Neither one of the Fujitsu products, RAFT and GlobalStore, is among the products approved by the major credit card companies. This doesn’t mean that the software doesn’t meet industry standards. It only means that the software hasn’t undergone the review process needed for sanctioning by the group, according to a note on Visa’s site.

“It’s really the responsibility of a company doing business to protect their customers,” said Williams. “Especially when you consider what’s at stake: identity theft, bad public relations and potential fines. Software vendors should also have their applications checked for any vulnerabilities that could lead to a security breach.”

In what seems like an annual ritual, Visa and MasterCard have raised rates effective April 1st, 2006.

Visa made relatively few changes to their Interchange levels. Only a few minor increases to several corporate card categories were made. On the other hand, MasterCard made many changes to key Interchange categories. This includes their Merit III category which affects standard credit cards in a swiped environment. They also changed how their quick serve cards are handled.

The expected increase to be passed along to merchants is 2 to 3 basis points (.02% – .03%).