Payment processing can be risky business! Since knowledge is power, we've highlighted some of the most common and helpful bits of wisdom regarding the risks of online payment processing.
PCI Compliance ¶
PCI DSS Compliance is an industry-mandated security standard that applies to all businesses that handle, process, or store credit cards.
The standard's 12 core requirements and roughly 250 controls boil down to three things:
- All merchants must achieve and maintain compliance
- Merchants cannot store the three or four-digit security code (CVV), or track data from the magnetic strip and PIN data
- If credit card information is passing through a merchant's environment and/or being stored, a merchant must meet certain security requirements
All merchants need to complete a Self-Assessment Questionnaire (SAQ), a compliance validation tool, in order to become compliant. The versions of this tool are aimed at trying to accommodate different business types and processing methods.
To achieve compliance, merchants should take the following steps:
- First, engage with a qualified security assessor (QSA) to determine which SAQ is applicable to your business.
- Next, review the SAQ to determine the scope of work required.
- Last, complete the necessary work and submit your completed SAQ to your qualified security assessor. This needs to be completed annually.
The best part is, if you have a merchant account with Braintree, we will provide you with a QSA at no cost to you! That means it's free to become compliant! You will still need to fill out an SAQ, but you won't have to worry about the hundreds of dollars in fees that most QSAs charge. Check out this blog post about how Braintree takes the pain out of PCI Compliance and this blog post for more information about the importance of being compliant.
Risk & Underwriting ¶
Merchant account providers are financially liable for all merchant losses. This combined with low margins generally make providers very cautious when it comes to underwriting and risk management. For example, a provider would be financially liable if a merchant sold an annual membership but then went out of business four months into providing the service.
While that's an extreme example, cardholders can dispute a transaction for more than 180 days after their purchase so risk is always being assessed on a business's ability to deliver on the product or service sold and avoid disputes.
Instead of declining a merchant due to excessive risk, sometimes merchant account providers will try and minimize their exposure by requiring a reserve. Reserves can be structured in a variety of ways but basically a provider would take a certain percentage of sales and keep it in an FDIC insured bank account for a predetermined period of time.
In the case of an unusually high transaction amount or dramatic increase in volume, some merchant account providers have been known to hold all funds or shut down an account until a further review has been completed.
To avoid this, we like you to fully explain your business model, billing practices and expected volumes. It can seem like a little more work to get going, but if you let us know that you are expecting a sudden spike in volume, for example, this will save us a lot of head scratching, phone calls and emails down the road.
Sometimes our banking partners require a reserve. The reasons are varied, but usually a reserve is required due to risk involved with your business model. This is something that should be established when you initially sign on with one of our banking partners and shouldn't come as a surprise. It is impossible to guarantee beforehand whether a reserve will or will not be required because it is determined on a case-by-case basis. Each banking partner handles reserves a little differently, so contact us at email@example.com if you have any questions about reserves or would like to know the status of your reserve.
Industry Risk ¶
Some industries are considered higher risk than others based upon decades of actual credit card processing data. For example, restaurants are low risk while travel is very high risk. Other high risk industries include auctions, tours, lodging, events or ticketing, telemarketing, money making schemes, and virtual currency.
Most merchant account providers will prohibit credit card processing for industries such as gaming, adult, liquor, online dating, debt consolidation, credit repair, and bankruptcy attorneys.
Billing Method Risk ¶
In addition to industry risk, there are also billing methods that increase risk such as annual billing, lifetime memberships, retainers / account credit and aggregation. None of these, except lifetime memberships, are prohibited by merchant account providers, but the business will have to demonstrate the financial strength to support the increased risk.
When a cardholder looks at their bank statement and doesn't recognize a charge, they can initiate a dispute with their bank called a chargeback. Once a cardholder disputes a charge, the funds are automatically debited from the merchants bank account. The funds are held in escrow by a third party while the merchant is alerted and given an opportunity to fight the chargeback by providing supporting documentation. If the merchant prevails, they will receive the funds again. If the customer wins, the funds will be deposited into their account.
Check out our Chargeback & Retrieval Overview & Tips support article for more information on chargebacks, including how to prevent and dispute them. You can also read more about chargebacks on our blog.
Personal Guarantee ¶
It's an industry standard to require a personal guarantee by business owners. Merchant account providers bear all financial liability so they want to make sure that owners have similar incentives to deliver on the products or services sold. Sometimes an exception can be granted upon review of company financials.
Braintree does not have cyberinsurance nor does it indemnify. Rest assured that security is Braintree's utmost priority, but the standard in the gateway provider industry is to not indemnify their customers. You can read more about this on this page.