It May be Time to Switch Card Processors

Written by David Taylor
April 1st, 2009

GuestView Columnist David Taylor is the Founder of the PCI Knowledge Base, Research Director of the PCI Alliance and a former E-Commerce and Security analyst with Gartner.

There is a lot of dissatisfaction in the merchant community with their card processors. Cost is, of course, the major concern: Many of the merchants I spoke with are trying to get their per-transaction costs as low as possible. But they are also unhappy about downgrade charges, the indecipherable bills, the lack of help from their representatives, and what they view as the coercive nature of the relationship.

The complaints are the loudest about the largest of the processors, all of which belies the notion that “bigger is better” when it comes to card processing. The two card processor breaches appear to have been “wake up calls” to get merchants to take action on their growing dissatisfaction with their card processors.

One of the lessons learned from the recent processor breaches is that no company, anywhere, is 100 percent secure. An unfortunate by-product of the PCI standards (like any standards) is that they have accelerated the commoditization of the payments industry and increased the control of the card brands over the value chain.

Of course, maybe that isn’t an “un” intended consequence of PCI DSS. Politics aside, I have talked with many merchants for whom payment processor (and other service provider) selection criteria has been reduced to only two questions: “How much per click?” and “Are you PCI compliant?” This is a mistake.

Merchants need to continue to exercise due diligence to understand and quantify the value of the differentiators which go beyond basic PCI compliance and per-transaction pricing. Three security-focused differentiators are worth mentioning:

  • End-to-End Tokenization
    Most of the packages that are termed tokenization today are focused on the point of sale, where card data is removed from the process at the earliest point, and a token number with no market value is substituted. Today, these approaches are offered by third party gateway vendors and other service providers and they can certainly reduce the scope of a PCI review and risk to the card data.

    But there’s a much larger opportunity for card processors to offer end-to-end tokenization efforts as a way to technically “lock in” existing customers and as an attractive way to integrate card data management services with card processing services, drawing new customers by providing a “back end” to go with the “front end” of the POS tokenization offerings. Several merchants are waiting to “pull the trigger” on their tokenization decision until it’s offered by a card processor.

  • advertisement

    Comments are closed.


    StorefrontBacktalk delivers the latest retail technology news & analysis. Join more than 60,000 retail IT leaders who subscribe to our free weekly email. Sign up today!

    Most Recent Comments

    Why Did Gonzales Hackers Like European Cards So Much Better?

    I am still unclear about the core point here-- why higher value of European cards. Supply and demand, yes, makes sense. But the fact that the cards were chip and pin (EMV) should make them less valuable because that demonstrably reduces the ability to use them fraudulently. Did the author mean that the chip and pin cards could be used in a country where EMV is not implemented--the US--and this mis-match make it easier to us them since the issuing banks may not have as robust anti-fraud controls as non-EMV banks because they assumed EMV would do the fraud prevention for them Read more...
    Two possible reasons that I can think of and have seen in the past - 1) Cards issued by European banks when used online cross border don't usually support AVS checks. So, when a European card is used with a billing address that's in the US, an ecom merchant wouldn't necessarily know that the shipping zip code doesn't match the billing code. 2) Also, in offline chip countries the card determines whether or not a transaction is approved, not the issuer. In my experience, European issuers haven't developed the same checks on authorization requests as US issuers. So, these cards might be more valuable because they are more likely to get approved. Read more...
    A smart card slot in terminals doesn't mean there is a reader or that the reader is activated. Then, activated reader or not, the U.S. processors don't have apps certified or ready to load into those terminals to accept and process smart card transactions just yet. Don't get your card(t) before the terminal (horse). Read more...
    The marketplace does speak. More fraud capacity translates to higher value for the stolen data. Because nearly 100% of all US transactions are authorized online in real time, we have less fraud regardless of whether the card is Magstripe only or chip and PIn. Hence, $10 prices for US cards vs $25 for the European counterparts. Read more...
    @David True. The European cards have both an EMV chip AND a mag stripe. Europeans may generally use the chip for their transactions, but the insecure stripe remains vulnerable to skimming, whether it be from a false front on an ATM or a dishonest waiter with a handheld skimmer. If their stripe is skimmed, the track data can still be cloned and used fraudulently in the United States. If European banks only detect fraud from 9-5 GMT, that might explain why American criminals prefer them over American bank issued cards, who have fraud detection in place 24x7. Read more...

    Our apologies. Due to legal and security copyright issues, we can't facilitate the printing of Premium Content. If you absolutely need a hard copy, please contact customer service.