Archive for July, 2007

When establishing your merchant account the acquiring bank that is reviewing your application is assessing the risk associated with establishing your account. They factor in many variables including ones associated with the product(s) you are selling. Different products have different risks associated with them. Let’s compare two products:

• Pencils

Selling pencils is a low risk product because not only will few people will attempt to commit fraud in an attempt to get their hands on pencils, but the customer’s expectations as to what the pencils are supposed to do a small in scope and easily met. As a result the potential for chargebacks is extremely small.

• Electronics

On the opposite end of the spectrum would be electronic gadgets like cell phones and stereos. These are frequent targets of fraudsters who essentially are trying to steal these items from you in one form or another. They also have tendencies to not meet customer expectations as they may not function as well as expected. As a result the potential for chargebacks is much greater.

Because an acquirer (A.K.A. your processing bank) is exposed to potential for losses whenever a chargeback is filed the higher the chargeback potential for a product the more difficult it will be to establish a merchant account for selling that product. This means when your merchant account is approved it is based on the merit of the products you offered at the time of your application.

So what if you want to add more products to your store? Well, there are a couple different scenarios for this:

1. The newer products are very similar to your current products

In this case you shouldn’t have to notify your acquirer. Since they based their decision to approve your merchant account on the type of the product and not specific products then you are in effect not making a sigificant change to your product offering. They have already factored these product types into their decision and adding these pr0oducts won’t affect that decision.

2. The products you are adding not related to the your current products

In this case you should contact your acquirer to let them know you will be adding these different products to your website. How they handle it will vary but if the number of products are significant and/or the product line is significantly differently you can expect your acquirer to expect a new merchant account to be opened for the new products. This will also certainly mean having a new website as well. The reason for this is due to different products having different risks.

It also has to do with how your business is presented. Usually a business name is modeled after the products it offers. If you are now offering different products for your business then when you established the business there is a good chance your current business name will not match the theme of your new products. This will cause confusion when your customers get their blling statements and result in an increase of chargebacks.

What it all boils down to is if you plan on adding products unrelated to the products your business currently offers then you will need to contact your acquirer and verify with them that it is okay to use your merchant account to accept payment for those products. If you think you can add them without your acquirer knowing think again. All it takes is one chargeback to get their attention. At that point instead of taking a customer friendly approach to the situation they may take a defensive approach and hold your funds while they get the matter squared away. If you don’t mind having a large sum of your money held for six months then this won’t be an issue. But if you want your money and don’t want your acquirer holding it back from you, always be proactive and let them know of a product change.

A common problem in ecommerce is fraudulent orders from overseas customers. The risk is so high in fact that some merchant account providers will not allow their merchants to accept orders from foreign countries. Even if they did, and you wished to solicit foreign orders, some regions pose such a high risk for fraud that accepting any order from that region would be just bad business.

So how do you reduce your risk of fraud from there regions? The easiest way to mitigate your risk is to block users from these regions from reaching your site. The Apache webserver offer the ability to block these regions as a group from your website. To do this create a file called .htaccess and place it in the root directory of your website (or your store if you only want to block that part). Place this code inside of it:


<Limit GET POST>
order allow,deny
allow from all
deny from 195
deny from 218
deny from 219
deny from 220
deny from 201
deny from 221
deny from 222
deny from 202
deny from 80
deny from 223
deny from 211
deny from 60
deny from 210
deny from 57
deny from 58
deny from 59
deny from 60
deny from 77
deny from 78
deny from 79
deny from 80
deny from 81
</Limit>


That’s it! This should block users from high risk parts of the world from accessing your site. Keep in mind they can still use an open proxy to make their IP address appear to be different and this doesn’t mean that the users now able to visit your site is honest. You still need to scrub your orders for fraud. But this should reduce the opportunity for fraudulent users in high risk areas to attempt to commit fraud on your website.

A common question in communities around the Web is, “what exactly is a payment gateway”? According to Wikipedia:

A payment gateway is an e-commerce application service provider service that authorizes payments for e-businesses, online retailers, bricks and clicks, or traditional brick and mortar. It is the equivalent of a physical POS (Point-of-sale) terminal located in most retail outlets. Payment gateways encrypt sensitive information, such as credit card numbers, to ensure that information passes securely between the customer and the merchant.

So what exactly does this mean? Here’s an explanation in human terms:

A payment gateway basically is a credit card terminal for your website. It serves the same purpose but is not tangible like a credit card terminal. It’s job is to take the transactions from your website and send it to the processing bank to seek an approval, or decline, and return it to your website so you can complete the transaction (or ask for another form of payment). But, instead of having a human being entering the transaction into a credit card terminal and then reacting to the response (approved or declined), your website is sending over the information on your behalf and reacting to the results based on your website’s programming.

Now that we have a simple explanation of what a payment gateway is, let’s look at what they are not. There are a lot of misconceptions about what payment gateways are and can do. Here’s a couple of things payment gateways in general do not do:

1. Manage orders

   Order management, keeping track of your user’s items being purchased, is the responsibility of your shopping cart. The shopping cart adds up the total amount of the purchase and that is the information it passes on to the payment gateway along with the customer’s personal information.

2. Validate data

   Although the payment gateway will make sure you don’t send it bad information so it is unable to process the transaction (e.g. make sure the credit card is numeric and the right amount of digits, you provide an expiration date, etc.), they won’t make sure that the information you have sent is valid. For example, if someone types in 12345 as their zip code, the payment gateway won’t catch that it is a fake zip code. Same as if someone used 1234123412341234 as their credit card number. Basic data validation is up to your website’s programming to catch and react to.

Here’s a couple things that a payment gateway is not:

1. A merchant account

   As mentioned above, a payment gateway connects to a merchant’s website or POS system to the merchant’s merchant account so it can process credit card transactions. Thus, a payment gateway in and of itself is not a merchant account. It cannot process transactions without a merchant account being linked to it. A payment gateway without a merchant account is even less useful then a credit card terminal without a merchant account. At least a credit card terminal can be used as a paper weight!

2. A third party processor

   Payment gateways are commonly confused with third party processors (see What exactly is a Third Party Processor?) as on the surface the two seem to be very similar. While it is true that third party processors do include a form of payment gateway in their services they are very different things. The service third party processors offer is a sharing of their merchant account. To effectively do this they must have you process everything through their system and as a result offer payment gateway-like functionality to facilitate the process. But these aren’t true payment gateways as they only work with that third party processor and is limited entirely to the services they offer.

After reading that, you may think that payment gateways aren’t all that special. Well, you’d be half right. They are far less complicated then most believe them to be. They are specialized applications and they do their job well. But many payment gateway providers do offer additional services to add value to their products. Some additional tools commonly offered include:

1. Fraud screening

   With Internet sales making up the overwhelming majority of credit card fraud, screening sales for fraud is a high priority for every online merchant. Most gateway providers provide tools to utilize basic fraud tools such as AVS and CVV by reporting the results of these systems or even allowing transactions to be declined automatically that fail either test.

2. Payment history

   Each transaction that is processed through a payment gateway is captured and stored in a merchant’s account for later reference. This makes keeping track of online payments automatic (and hopefully redundant).

3. Recurring billing

   A common feature of subscription based websites is the ability to charge customers on a regular scheduled basis. Some POS software includes recurring payment functionality and many payment gateways offer this feature as well. By doing so they take the burden of PCI Compliance off of the merchant. The merchant does not need to worry about storing credit card information and the security that is required to do so.

All-in-all a payment gateway’s purpose is small in scope but they are still powerful and essential tools for online processing. If they still seem daunting to you, just remember they are just virtual credit card terminals and act almost in the very same way. They connect your website to your merchant account so you can get paid from credit card sales. Simple yet powerful.

Technorati Tags: payment gateway, recurring billing, merchant account, fraud screening, avs, cvv, POS systems, PCI compliance