Online jewelry merchant Ice.com’s wares include $1,300 diamond pendants, $3,000 engagement rings, and $4,000 pearl necklaces. Not surprisingly the company is a tempting target for credit-card thieves, says CEO Shmuel Gniwisch. A thief could use a fraudulent account number to buy, for instance, a pair of white-gold and pearl earrings, sell them at a pawnshop, and pocket the proceeds. Having a payment processing solution to help identify potentially fraudulent purchases remains an ongoing concern for the Champlain, NY-based company. “We need to be proactive in weeding out potential fraud,” Gniwisch says. And given that Ice.com processes 1,000-5,000 transactions a day, all its fraud prevention tools need to be automated.
Ice.com isn’t the only multichannel merchant with such requirements, of course. “For the card-not-present arena, payment and risk management are like breathing in and out,” says Julie Ferguson, founder/vice president of emerging technologies of Austin, TX-based Clear Commerce Corp. “You can’t do one without the other.”
In fact, more than three-quarters of the 300 merchants responding to a 2004 survey by the Merchant Risk Council, a New York-based industry organization, indicated that their businesses had experienced a fraud spike during the previous 12 months.
But Ice.com isn’t one of those companies. In late 1999 it implemented, as part of its payment processing system, an application that automatically compares each customer’s card number with a continually updated database of credit-card transactions showing how many times a particular card number was used within the previous 24 hours. Many holders of stolen cards or account numbers use them repeatedly within a short period of time, in an effort to steal as much as they can before they’re detected. In the years since it implemented the application, a hosted solution from Mountain View, CA-based CyberSource Corp., Ice.com’s level of fraudulent sales has dropped by at least 20%, Gniwisch says.
Security may be top of merchants’ minds when it comes to payment processing solutions. But other features are also key. Among these are the ability to accept different types of payments, the ability to work in an integrated manner across all channels, and the ability to integrate with a merchant’s other information systems.
Calling security
Several types of players take part in the payment processing game. Gateway providers transport the transaction from the merchant’s Website, call center, or stores to a payment processor. They may also provide other services, such as fraud screening. But these providers, which include Authorize.net and Verisign’s Payflow Pro, don’t settle the transaction. The merchant still has to find a payment processor for that, says Bruce Froendt, president/CEO of TransFirst ePayment Services, a Dallas-based payment processing services provider.
Payment processors transmit a customer’s purchasing information to the bank that issued his credit card. They also check to see that the card number is valid and that the credit line can accommodate the purchase, says Kevin Gallagher, group manager of corporate alliances with Atlanta-based payment processing services provider Paymentech. Once the transaction is accepted and the goods have shipped, the processor transfers the money from the customer’s bank account to the merchant’s. At the end of each day, the processor creates a listing of the transactions that were completed.
Some larger merchants connect directly to a payment processor without using a gateway provider. That requires working with the processor to build a frame relay or other means of connection. It’s a costly option — the frame relay connections themselves are expensive, plus there’s the need for systems expertise to manage them.
As a result, industry analysts say, they are seeing a growing preference for hosted payment processing services rather than purchased applications. For starters, a hosted system allows a merchant to get to market quickly, says Gallagher. It also enables merchants to avoid the up-front investment of a purchased solution.
Complying with the law
Perhaps more important, using a hosted service relieves merchants of some of the responsibility of maintaining systems that comply with regulations regarding the safeguarding of customers’ information. For instance, a law passed by California legislators in 2003 requires companies doing business there to publicly disclose any breaches of their computer systems if they end up compromising customers’ personal information and the information isn’t encrypted. Several other states are considering similar legislation, says Clear Commerce’s Ferguson.
In addition, the major credit-card associations continue to tighten the requirements merchants must follow to safeguard customer information. The Payment Card Industry Data Security Standard, adopted earlier this year by the major card-issuing associations, including Visa and MasterCard, requires any entity that handles customer data to encrypt the transmission of cardholder information, install and maintain a firewall, and regularly update its antivirus software, among other tasks. Merchants that fail to comply and whose databases are compromised can be fined.
It’s important to note that payment processing software providers can’t claim that the applications themselves are certified according to the standards, as the standards address functions that lie outside the software, notes Darryl Wright, president of Gainesville, FL-based Main Street Softworks. For instance, one standard covers corporate policies such as employees’ access to computer systems.
What the provider can say is that its application has been validated against the best practices the card issuers have developed for software vendors. For example, it can (assuming it’s true, of course) say that the software doesn’t retain magnetic stripe data, which is in accordance with one of the best practices.
Using a hosted solution can also relieve the merchant of having to invest in separate fraud prevention tools. As is the case with CyberSource, the service providers often bundle access to security databases with their processing services.
That’s why Ice.com’s Gniwisch continues to use a hosted solution rather than buying its own. The merchant pays CyberSource $5,000-$10,000 each month; the fee varies with the number of transactions. If Ice.com moved to a purchased or inhouse application, it would have to invest in replacing CyberSource’s fraud prevention tools. “Even if we save dollars on one end, we’d have to put dollars into fraud prevention,” Gniwisch says. Nonetheless he currently is calculating the costs and benefits of making such a move.
And even though hosted solutions may provide sophisticated fraud detection services, they don’t automatically relieve the merchant of liability for fraudulent transactions, says CyberSource spokesperson Bruce Frymire. CyberSource, for one, sends the merchant a score on each transaction. Scores range from one to 99; the higher the number, the more likely that a particular transaction will be fraudulent. The decision to accept or reject the sale lies with the merchant.
Paying for processing
Important though security and fraud prevention are, they shouldn’t be your only considerations when you are deciding on a payment processing solution. When determining whether to use a hosted service or to buy or build an inhouse solution, you have to assess the level of expertise and resources required to manage such a system, says Mike Orlando, director of strategic markets with CyberSource. If a merchant doesn’t have IT or systems resources, it will need to cost-effectively develop or acquire them before moving to an inhouse solution.
You also need to consider the forms of payment, such as gift cards and bill-me-later-programs, that your business will be accepting now and down the road. You want to make sure that the payment processing software or service can work with the payment forms it is likely to use.
What’s more, the payment processing solution needs to interface easily with your other order and accounting systems. Late last year VS Athletics, a San Luis Obispo, CA-based direct marketer of track and field equipment, installed a payment system from TransFirst that interfaces easily with the VS order management system. Customers’ credit-card information is automatically checked while they’re on the phone or online; once approved, the order is recorded in both systems. At the end of the day, says CEO Billy Smith, all the orders shipped that day are batched into one report. “I hit submit and capture the batch. It takes 30 seconds,” Smith says. Within 48 hours, funds are deposited into the company’s checking account. At the end of the month, Smith receives a report of credit-card charges by type.
The payment processing system should also be able to handle transactions across all your channels — the Internet, call centers, stores. “You want a service or solution that addresses as many payment processes at the same time,” says Lonny Paul, director of e-commerce with Tiger Direct, a Miami-based computer merchant. Otherwise reconciling different accounts and systems takes a tremendous amount of time. Tiger Direct uses a payment processing system from Paymentech that processes and reports on transactions across all three channels.
Last but certainly not least, there’s cost. Any cost/benefit analysis should include not only the visible and up-front out-of-pocket costs of the software or service but also the expenses associated with managing the system over the longer term, Orlando notes.
The cost to process payments can vary dramatically, depending on the volume of business. Clear Commerce offers a hosted solution that typically starts at about $500 per month, says Ferguson. It’s usually cost-effective for retailers handling fewer than 25,000 transactions a month. Merchants processing more than 25,000 orders a month should at least consider a purchased solution, she says. These start at about $29,000, although most applications are $50,000-$100,000. Merchants processing more than 49,000 transactions a month almost always find that a purchased solution is the most cost-effective way to go, she adds.
S2 Systems’ solutions are geared toward retailers that are handling at least 1 million transactions a month, says Lynn Holland, senior vice president/chief technology officer with the Plano, TX-based company. As a result, prices start at several hundred thousand dollars for a system. S2 doesn’t offer its solutions on a hosted basis.
Going forward, the only thing that appears constant in payment processing is continued change. Merchants continue to introduce new forms of payment, card issuers and regulators continue to introduce new security requirements, thieves continue to look for new ways to thwart security, and merchants are looking for new opportunities. “The biggest challenge,” says Paymentech’s Gallagher, “is that the market continues to evolve.”
Minnetonka, MN-based freelance writer Karen M. Kroll has written for Inc. and IndustryWeek, among other business publications.