Whitney Carnahan, Features Editor of Rental Management Magazine, recently contacted Rob Ross, President of Alert Management Systems, for opinions regarding a variety of credit card payment and security issues. In the April issue, already out in print and digital form, a number of the non-security related answers were published as excerpts. In May, she plans to write another article focused entirely on credit card security. Here is the full text of our responses to Whitney’s questions. -------------------------------------------------------------------------------------------------------------------------------------------------- Carnahan: What should rental stores look for in payment applications for software?
Ross: Nothing has changed more in the rental world than credit card payment processing. The retail world in general has been rocked by a string of credit card frauds and breaches that have affected even the largest and most secure institutions. In response, new PCI security regulations have been issued frequently in the last few years, making compliance a moving target for everybody involved.
Many rental stores are facing more and more frequent audits as well as surcharges and penalties for non-compliance. They have been required to upgrade software and even hardware-- especially routers and devices that control networks across multiple stores. The PA-DSS questionnaires for merchants ask increasingly sophisticated questions requiring IT skills and implying liability for inaccurate answers. Meantime, the PCI Board continues to make new rulings in response to new breaches.
Carnahan: From a security perspective, what should rental stores look for in payment processing applications?
Ross: First, it is important to understand that ‘best practices’ start at the rental counter. Regardless of the software you use, you need to make sure your staff is not ‘keeping notes’ of credit card numbers and associated information in unsecure places. Secondly, if your software allows you or anyone in your organization (regardless of password level) to see all 16 digits of any credit card, your software is now obsolete and needs to be upgraded. (Only the last four digits may be viewed in their human-readable form.)
If you process cards separately (on a physical terminal provided by your bank or processor), you simply need to find out if the hardware device(s) are up-to-date. If you have an integrated (PCI-Compliant) credit card system, ideally, it should not store cards in any form on your computer system, so your store has the maximum protection with the least amount of regulation of your physical network. State-of-the-art systems from industry leaders are the best bet in today’s environment. (For example, Alert uses PAYware Connect from Verifone, which only stores cards in a secure ‘Cloud’ environment. Verifone is the world’s largest payment processor.) Companies like Verifone have the resources and technology to keep up with ever-increasing security requirements.
Carnahan: How can software impact a rental store’s bottom line? How can it help them get paid?
Ross: The ‘real cost’ of payment processing charges are often complicated and difficult to assess. One thing is certain: any savings or overcharges go right to the bottom line. The most important thing to do is to add up all your charges and divide into the total amount of all your credit card transactions. This will tell you your ‘effective rate’ vs. the rate you pay for ‘qualifying’ charges. Inevitably, the effective rate is more representative of your real cost (and much higher). We also recommend that you periodically get a second opinion from an expert or consult with a broker for multiple competing payment systems. There is no one right answer, in part because every store will experience a different mix of cards and types of transactions. (There can be differences in even the most subtle ways: How are fees credited for refunds, for example?)
With respect to your software vendor, it is important to know if you are free to choose any processor, or if you are restricted to a particular vendor. Common sense tells you that you want to have the most competitive environment possible for your business. It is also fair to know if there will be recurring support and upgrade charges.
Although allowing your customers to pay their accounts receivable balance via credit card can be costly, many stores are switching as much of their A/R business to credit card as possible, as a way to improve their aging, increase cash and lower collection costs, especially for smaller accounts. Your software system should help you set goals and measure your progress, so you can assess the financial results of this strategy. Again, there is no single right strategy.
Carnahan: Many rental stores I have talked to say their customers’ credit card information is not stored on their computers. Is that true? What kind of encryption do they need for secure information?
Ross: As discussed above, it will be increasingly difficult for small businesses of any kind to justify the risk and regulatory hassles of maintaining credit card information on their own computer systems, particularly now that there are ultra-safe, low cost ‘cloud-based’ alternatives (such as PAYware Connect) available. After all, even major institutions with the latest encryption technology have been victimized by credit card fraud. The ultimate peace-of-mind comes from knowing you cannot be targeted because you simply do not store any credit card information.