Choosing the right payments partner is one of the more important decisions you'll make for your business. The information below will help you avoid common mistakes and ask the right questions.
Online Payments 101
Merchant Account Basics
Merchant Account Risk
PCI Compliance Basics
To accept credit card payments you’ll need a merchant account and payment gateway. Merchant accounts require an underwriting process; gateways do not.
A merchant account allows you to accept credit and debit cards as a form of payment while the gateway is the software that connects to the processing networks. Sometimes they’re bundled; sometimes sold separately. Most gateways have both an API for web transactions as well as a web based interface for phone, mail or fax orders.
A merchant account is not a bank account. Merchants can bank with whomever they please.
Payment taken with a Visa, MasterCard or Discover will typically be deposited into the designated bank account within 2-3 business days of settlement. American Express typically takes 5 business days.
Processing fees may be taken out daily or monthly, depending on your merchant account provider.
Most merchant account providers will bundle Visa, MasterCard and Discover as the default accepted payment types. American Express can also be added but you’ll need to indicate your interest on the application. For online payments, there is no difference in processing a credit or debit card. There is no online acceptance of pin-debit (though that is in the process of changing).
Visa cards represent roughly 65% of all transaction volume, MasterCard 20%, American Express 10% and Discover 5%.
Banks charge fees when a customer uses their credit or debit card. The fees depends on the type of card, type of business and how it’s processed. These fees are priced differently by merchant account providers which makes comparison difficult.
Most providers hide fees as well. For example, Costco advertises a rate of 1.99% and $0.27 per transaction, but this rate only applies to certain transactions. If you look closer, you’ll see that they charge 2.96% and $0.32 and 3.80% and $0.32 for other types of transactions.
Be sure and ask a merchant account provider to disclose all their fees. As you can see, merchant account pricing is quite complex and most providers aren’t overly anxious to make it easier.
PCI DSS Compliance is an industry-mandated security standard that applies to all businesses that handle, process or store credit cards
The standard’s 12 core requirements and roughly 250 controls boil down to three things: 1) all merchants must achieve and maintain compliance 2) merchants cannot store the three or four-digit security code, track data from the magnetic strip and PIN data; 3) if credit card information is passing through a merchant’s environment and or being stored, a merchant must meet certain security requirements.
All merchants except for the largest 1%, need to complete one of four compliance validation tools called Self Assessment Questionnaire (SAQ). The versions are aimed at trying to accommodate different business types and processing methods.
To achieve compliance, merchants should take the following steps: First, engage with a qualified security assessor (QSA) to determine which SAQ is applicable to your business. Next, review the SAQ to determine scope of work. Last, complete the necessary work and confirm by filling out the SAQ. This needs to be completed annually. Read more.
Some industries are considered higher risk than others, based upon decades of actual processing data. For example, restaurants are low risk while travel is very high risk. Other high risk industries include auctions, tours, lodging, events or ticketing, telemarketing, money making schemes, and virtual currency.
Most merchant account providers will prohibit industries such as gaming, adult, liquor, online dating, debt consolidation, credit repair, and bankruptcy attorneys.
In addition to industry risk, there are also billing methods that increase risk such as annual billing, lifetime memberships, retainers / account credit and aggregation. None of these, except lifetime memberships, are prohibited by merchant account providers, but the business will have to demonstrate the financial strength to support the increased risk.
Merchant account providers are financially liable for all merchant losses. This combined with low margins generally make providers very cautious when it comes to underwriting and risk management. For example, a provider would be financially liable if a merchant sold an annual membership but then went out of business four months into providing the service.
While that’s an extreme example, cardholders have up to 180 days to dispute any charge so risk is always being assessed on a businesses ability to delivery on the product or service sold and avoid disputes. Read more about Risk and Underwriting.
Instead of declining a merchant due to excessive risk, sometimes merchant account providers will try and minimize their exposure by requiring a reserve. Reserves can be structured in a variety of ways but basically a provider would take a certain percentage of sales and keep it in an FDIC insured bank account for a pre-specified period of time.
In the case of an unusually high transaction amount or dramatic increase in volume, some merchant account providers have been known to hold all funds or shut down an account until a further review has been completed.
It’s helpful to always fully explain your business model, billing practices, and expected volumes as this will go a long way in preventing future problems and surprises.
It’s an industry standard to require a personal guarantee by business owners. Merchant account providers bear all financial liability so they want to make sure that owners have similar incentives to deliver on the products or services sold. Read more about personal guarantees.
Sometimes an exception can be granted upon review of company financials.
Cardholders can dispute anything they’ve purchased for up to 180 days. Once a cardholder disputes an items, the funds are automatically debited from the merchants bank account. The merchant can then fight the chargeback by providing supporting documentation. If the merchant prevails, they will receive the funds again. A chargeback fee is charged by merchant account providers regardless of outcome. Read more about chargebacks.
© 2007-2012 Braintree, Inc. All rights reserved. Braintree is a registered ISO/MSP of Wells Fargo Bank, N.A., Walnut Creek, CA
