Thursday, December 17, 2009

The IRS and the Merchant Account

News from the IRS is that starting 2011, all merchants will be receiving 1099s from their credit card processing banks. What this means is the IRS will track credit card charges through your merchant account as income. For 99.9% of you, this is not an issue. For the other .1%... well, you got some work to do!

Of note: the IRS considers nonprofit organizations as prime money laundering targets, so these 1099s to nonprofits may be especially important.

Monday, December 14, 2009

82North and DonorMarket Certification

well, as we've said from the beginning, you don't know what you don't know!

82North (hence DonorMarket) are PCI Compliant and have contracted with McAfee for daily scans through their HackerSafe program. 82North has always been hacker safe and passed the first scan with flying colors - what else?!

Going forward, you can ask your constituents to download "securityadvisors" which will attach itself to the web browser and indicate the site's hacker safe protection.

82North has done everything it can to be on the forefront of ensuring your data's protection while continuing to provide a value-based product. Because DonorMarket uses the 82North software, DonorMarket has the same assurances in place.

Please contact us at 82North and DonorMarket with any questions you may have: 302-425-3658, 888-900-3658.

Happy Holidays! Betsey

Thursday, December 10, 2009

how to fill out the questionnaire

thanks for keeping track of this nonsense!

Ok, for the Metro Merchant Services questionnaire, you use a Completely Outsourced Shopping Cart (I hate that term, 82North is so much more!). If it requires you to answer something about a terminal, your use a Virtual Terminal - unless of course you actually bought a terminal and use it.

Once you have completed the survey, you may get a "Congrats you can fill out the SAQ-A" which is where all of 9 is N/A - you do not carry around any cardholder data on any media (meaning paper or hard drive or whatever) and all but one question for part 12 is YES. As I recall, there is one piece, again about media, which is N/A.

Later on the SAQ-A it will ask you to explain N/A - do so saying that no cardholder data is kept on any media.

Wednesday, December 9, 2009

Who is an "acquirer"?

Most of you have First Data as your acquirer; some will have a different acquirer if you process using CardFlax, PayTrans, BuyTrans, or ImpactPay.

But you are no longer allowed to send your SAQ-anything to your acquirer!

For MMS merchants ONLY, you are required to send your SAQ to:

ControlScan
ATTN: Christina Leighton
340 Interstate North, Ste 347
Atlanta, GA 30339

Non-MMS merchants should contact their service provider directly for more details.

PCI Certification

Ok, so you've dutifully filled out the questionnaire, and if you are lucky you get a message that says "you qualify for SAQ-A", and it provides it there for you. At the end of SAQ-A, you are told to send it to your acquirer. Same thing as if you went to the website I told you about.

Well here is the newest wrinkle I learned last night - you STILL get charged a monthly fee even if you are PCI Certified! What a racket this has become. I am told by MMS that when certified, you will be charged $4.95 per month - $8.90/mo if you require a scan. SAQ-A merchants do not require a scan, but don't expect them to lose out on a fee when they can claim you do need a scan.

Nothing about this process makes any legitimate sense and it is all a money making scheme.

I welcome your comments if you disagree!

Monday, December 7, 2009

PCI Compliance - one more piece

In filling out the SAQ-A for 82North and DonorMarket, I now realize there is a second piece of documentation (nearly identical to the first) which is required: the Attestation of Compliance, or AOC-SAQ-A.

So after completing SAQ-A, download and fill out AOC-SAQ-A.

Stay tuned for the exact location of where to send the completed forms.

Thursday, December 3, 2009

Some useful tools

Did you know Vertical Response (www.verticalresponse.com) gives non-profits 10,000 FREE emails per month? here is a shout out to that generosity!

And I hope everyone has signed up with Tech Soup (www.techsoup.com) which provides access to deeply discounted software and hardware.

Monday, November 23, 2009

PCI Compliance - what is the credit card industry up to now?

PCI Compliance for 82North and its Clients

This paper has been prepared with the 82North client in mind and uses the Personal Card Industry Data Security Standard information provided by various sources as noted.

PCI Compliance means that you have security measures and procedures in place as outlined for your level of merchant account and credit card data activity. This compliance has been required effective July 2007, though it has evolved and is slowly being implemented by merchant account providers (Independent Sales Organizations/ISOs).

There are four levels of merchant account activity, each requiring its own set of measurements and standards. Organizations with merchant account activity between 20,000 and 1,000,000 transactions per year are considered Level 4. This level, the lowest of the standards, means that those organizations can self-assess their security, but it does not mean the requirements for that security are any less.

Now that you have determined what your Merchant Level is, you now need to determine which Self-Assessment Questionnaire fits your business model. Go to http://www.pcicomplianceguide.org/pcifaqs.php#4 or https://www.pcisecuritystandards.org/saq/index.shtml.

• SAQ-A is for merchants using 82North as the sole eCommerce solution and who do not store or process any credit cards any other way. 82North clients with no knucklebuster (hand swiper) or swipe machine can fill out SAQ-A
• SAQ-B is for merchants using a knucklebuster ONLY (does not apply to 82North clients)
• SAQ-B is also for merchant who use a swipe terminal only (does not apply to 82North clients)
• SAQ-C is for those 82North clients who use the 82North service as well as a knucklebuster and/or a swipe machine

As you know, those of you who have merchant accounts through Metro Merchant Services (MMS) are beginning to see requests for surveys which identify what type of merchant you are. If you use an online service, MMS is attaching an $8.90/mo fee to “certify” you as an online merchant. If you do not use 82North but only 1 swipe machine, you will incur a $4.95/mo fee. If you do not use 82North but have more than one swipe machine, you will incur the $8.90/mo fee.

This is the most important piece for you to understand – as a merchant account holder, you MUST certify yourself. If there is a data breach with your credit card activity, you can be fined!
“Q: What are the penalties for noncompliance?
A: The payment brands may, at their discretion, fine an acquiring bank $5,000 to $100,000 per month for PCI compliance violations. The banks will most likely pass this fine on downstream till it eventually hits the merchant. Furthermore, the bank will also most likely either terminate your relationship or increase transaction fees. Penalties are not openly discussed nor widely publicized, but they can catastrophic to a small business.
It is important to be familiar with your merchant account agreement, which should outline your exposure.”

In essence, your organization must implement security procedures to ensure any data you collect is safe and that you are PCI Compliant/Certified. However, if you do not store data in-house (ie, use 82North) you do NOT require a server scan.
But we aren’t finished there. As a merchant you must be certified, but the services you use must also be certified. This is where 82North and your online gateway come in. Remember, as an 82North client, you have three pieces to the puzzle - your merchant account, the online gateway and 82North as the web "portal":

1. You have the merchant account, many of you through MMS but other merchant account providers are represented as well. You have to certify yourself as a merchant (those SAQ levels).
2. Your merchant account has an online gateway through which 82North authorizes and captures credit card transactions on your behalf. This online gateway must be certified as well. Metro Payment Gateway, the gateway MMS merchants use is PCI Certified. If you use another online gateway, you must ask that gateway representative about their PCI certification – ask for nothing less than PCI Certified and make them prove it.
3. As an 82North client, you use 82North as your online transaction processor which also stores your credit card data. 82North must also be PCI Certified.
82North is now in the process of becoming PCI Certified. As a Shared Hosting Provider (SHP - we host your secure websites), 82North is required to complete SAQ-D. SAQ-D is for those SHPs who process between 20,000 and 1,000,000 transactions per year. 82North has determined that an upgrade to server hosting will have to be made and should be made by the end of 2009. To give you a sense of the effect on this service, hosting costs will now go from $2,500 per year to $14,400 per year, an 826% increase. Wow. No, the rates for 82North are not going up to match that hosting cost increase, but I share it with you to give you a sense of the magnitude of effect PCI Compliance has on a company like 82North.
There will be a few changes in the password requirements for the Administrative Interface. PCI Compliance requires a 7 digit password combining numbers and letters which is changed every 30 days.
As for the 82North database and storage of credit card data, it has been compliant from Day 1. We do not store the entire number and never have nor do we save the CVN and PIN. From a software standpoint, 82North has always been PCI Compliant.

In summary, what does PCI Certification and Compliance mean to you?
1. You have to fill out the MMS survey when they ask you to, and yes, pay the fee.
2. You have the choice to complete the SAQ which corresponds to your activity and become PCI Certified as a merchant. Once you do this, your certification letter can be sent to MMS and they will eliminate the fee. Self-certification costs nothing but your time, and I heartily recommend it.
3. In order to remain as value-based as it has, 82North requests that you send referrals! The best way to cover the increased costs of the PCI Certified servers is to increase revenue.
This is a major fork in the road for 82North, the third one since starting up in 2004. The first was redoing the software, the second was personally guaranteeing the merchant account activity in 2005 when it was no longer allowed for you to use the 82North merchant account and now we have the PCI Certification issue. 82North has shown to be committed to providing a cost-effective service for your needs. This new world of secure data continues to evolve and 82North continues to do the research so you are better informed – and be nimble enough to quickly evolve with the industry!
These requirements do not apply to DonorMarket clients, but are shared for your information. You DO have the responsibility to have secure procedures in place for any cardholder data. Consider filling out a SAQ-A for yourselves, though no need to send it anywhere.

As always, please contact 82North with any questions you have: EMoran@82North.com, 800-979-0082, 302-425-3658
Thank you for what you all do for your community!