Digital Transactions Authoritative, insightful and timely information for payments professionals
Payments is a complex business. Best to start by mastering the basics of pricing and security.
Scratching their heads, your business leaders may ask, “Why do fees change for credit card processing? What’s this Level 1? 2? 3?” Then, they hit you with questions related to cybersecurity: “Wait, did you call my PCI Level 1? 2? 3? 4? What does that mean? Does that affect my merchant rate fees?”
Let’s stop right there.
I had a great conversation with some intellectual beasts when it comes to credit card processing solutions and cybersecurity technology: Jason Estes, president and chief executive of iCheckGateway.com, and Christopher Bulin, founder of Proven PCI Inc. Let’s discuss the differences. There were two separate conversations. Smile and nod until it’s clear to you as it eventually became for me.
First: Processing Fees
The “Levels” here get quantified by the amount of data passed through during the credit card transaction. It varies based on the requirements needed for verification and authorization. Level 1 means the fees will rate higher while Level 3 means the fee will rate at its lowest.
Part of what defines the fee rates will be the type of customers or clients your business serves. So, consider the savings when setting up the payment portal. The more data fields required, the lower the processing rates. Also, part of what defines this is the type of customers your businesses serve. Any transaction submitted with Level 2 and Level 3 card data qualifies for lower Visa and MasterCard Interchange rates. That means lower merchant fees.
With Level 1 credit card processing for consumer-to-business transactions, consumers use their personal credit cards to make purchases both large and small. These transactions require the most basic data to go through, namely, merchant name, transaction amount, and date.
With Level 2 processing, business-to-business solutions help B2B merchants build strong relationships with their clients. With this level, they increase large-ticket transactions with corporations and government agencies. Collectively, the data to qualify at a lower merchant fee rate includes merchant name, transaction amount, date, tax amount, customer code, merchant postal code, tax identification, merchant minority code, and merchant state code.
Then there’s Level 3 processing. Government or corporate purchasing cards usually fall into this category, gathering the most detailed data for enhanced reporting and more control over employee purchases.
The data fields required for Level 3 processing include those from Level 2 transactions plus several others, such as: item product codes, item descriptions, quantities, item tax rate, ship from postal code, freight amount, duty amount, destination postal code, destination country code, and more.
Second: PCI Security
The Payment Card Industry Security Standards Council (PCI SSC) was created in 2006. The main supporters include American Express, Discover, JCB, Mastercard, and Visa. They added software and hardware developers, point-of-sale terminal makers, banks, and retailers. Together, while not directly responsible for carrying out cybersecurity measures, they closely monitor transaction processes.
So, the PCI SSC’s data-security standard (DSS) put together 12 requirements for businesses processing credit cards to be in compliance. They give six objectives as well. The council set the goals as a global entity to help improve security for every aspect of the financial transaction process. As a part of that, it designed the DSS, often shortened to PCI. The council determines the “levels” of scrutiny needed by the number of credit card transactions the business handles each year:
Level 1: Merchants that process over 6 million credit card transactions annually.
Level 2: Merchants that process 1 to 6 million credit card transactions annually.
Level 3: Merchants that process 20,000 to 1 million credit card transactions annually.
Level 4: Merchants that process fewer than 20,000 credit card transactions annually.
What does this mean when choosing a payments provider? Level 1 organizations hire an external audit to dig deep into processes. The audit is performed by a QSA (Qualified Security Assessor) or an ISA (Internal Security Assessor). These audits require documentation from year-round internal and external evaluations and a discussion annually to validate, review, support, and evaluate measures set by PCI.
For Levels 2 through 4, cyber-security remains critical, but organizations can perform a self assessment without the need to pay for an external audit.
Credit card processors impose a PCI Compliance fee. This will typically vary from provider to provider depending on the support provided. While PCI does offer training and support, the PCI DSS imposes non-compliance fees. These fees discourage business owners from having timid management tolerating customer- and business-data vulnerabilities. Instead, owners at all levels will fortify their defenses, hiring a third-party entity to ensure their PCI compliance.
Education
So, passing on the data to businesses gives them confidence they earn the best pricing per credit card transaction and the most secure processing of the sensitive payment details their customers entrust to them to use
for purchases.
Whether online in a hosted payment portal or iFrame, over the phone with a representative or through Interactive Voice Recognition (IVR) software, through a mobile tablet or POS device, or within an invoicing platform using email or SMS texts, the payments revolution is here.
Teach every budding and seasoned entrepreneur, inquisitive financial student, and eager-to-learn sales-relationship manager about payments. Let them offer transparency and build trust for future collaboration.
—Nikki Estes is digital marketing manager at iCheckGateway.com, Fort Myers, Fla.
