Best Practices for Merchants in Response to Data Breaches

With the recent spate of data breaches at major retailers, exposing credit card and personal information for an estimated 110 million Americans, the payments

With the recent spate of data breaches at major retailers, exposing credit card and personal information for an estimated 110 million Americans, the payments sphere is in a whirlwind of activity. The long-term implications of such a massive theft of data are likely to be immense. Government regulations, financial industry regulations, prevention strategies from POS retailers, new technologies intended to curb or eliminate this sort of breach, and even lack of consumer confidence in the use of credit cards will all impact the ways in which we do business and the costs of doing business.

This article was first published on the PLC Blog

Card not present merchants are already feeling the impacts, and a change or review in best practices and current processes is certainly a good idea. So, what can a CNP merchant expect?

In the near-term, it will mean an increase in certain soft, recyclable declines. As issuers are steering toward more conservative measures for authorizing transactions, debit cards in particular have lower daily limits. This means that merchants will be more likely to see Do Not Honor, Credit Floor, or Insufficient Funds declines. The good news here is that these transactions are likely to be recouped. However, it might require an overhaul to recycling tactics. Merchants who have the sophistication to employ varying recycling rules by card type or BIN will likely see greater success. One key element to optimizing and determining the best recycling frequency for your specific portfolio is to produce and analyze a report that shows a portrait of your decline recovery and recycling success.

With issuers bearing the brunt of the reissuing cost (an average of $10 per card) not all issuers are canceling and reissuing cards that are known to have been at risk. Some are waiting until there is apparent fraud before doing so. However, many major issuers have already proactively shut down and reissued millions of cards. It is crucial that merchants are enrolled in and submitting accounts to account updater programs in a timely fashion. Even with best practices here, there will be some fallout impacting overall success rates attributed to those issuers who do not participate in the updater programs. These updated accounts will be lost, so there will be an uptick in Invalid Account declines, a hard decline whose only recourse once updater has been exhausted is customer outreach.

Longer-term effects are a bit more nebulous at this point, as members of Congress, the financial community, retailers are debating the finer points of various technologies, including EMV (Europay MasterCard Visa, also known as chip-PIN cards) acceptance requirements. Visa is mandating that all retailers are EMV-enabled by October 2015. They will be required to update their POS terminals and train employees on accepting these cards that eliminate the traditional mag-stripe in favor of a smart chip. These cards have been in use in Europe since 1997, and have proven to effectively reduce fraud – but only in a card-present environment. The drawback has been an increase in fraudulent transactions online, where thieves can more easily test out or use stolen cards. CNP merchants will be forced to evaluate their best practices for card acceptance. Merchants who are at risk of high exposure to fraud should consider various third party fraud scoring tools to help reduce the likelihood of stolen accounts getting through.

As mentioned above, there will be immediate costs to the issuing banks. These costs could be transferred to the merchant or the consumer in the form of higher interchange fees for merchants and higher credit card usage fees for consumers. With potentially higher usage fees, plus the reduction of consumer confidence in the safety of credit cards and debit cards as a payment option, we will expect to see a decline in the overall usage of credit cards. In fact, in a recent survey, consumers claimed to be reserving their credit cards now only for major purchases. This new ecosystem could drive more consumers to brick and mortar shops to pay in cash or check rather than purchasing the same or similar items online. It might also increase the adoption of non-reloadable prepaid cards for online purchases. Recurring merchants should review their processing to ensure they are utilizing all of the tools that certain enhanced authorization file layouts offer, and then using that information – including whether or not the card is prepaid, reloadable or non-reloadable – to make appropriate business decisions. The cost of goods, delivery if applicable, price point, and more can all factor into what is the best practice for a specific merchant. The more data available, the better these decisions can be.

Even with these long-reaching implications to CNP merchants, there are measures and tools within your arsenals to combat the potential involuntary churn and maintain or increase your lifetime value. The key is to evaluate your current practices, processes, and partners; analyze all available data; and make the necessary changes to ensure success.

Paul Larsen, our INSIDER Guide to Payment Processing, is the Founder and Managing Partner of Paul Larson Consulting (PLC), a consulting company focused exclusively in the area of payment processing – specifically on recurring and installment billing merchants in the card-not-present (CNP) space. With over 700 clients, PLC’s expertise helping card not present businesses significantly improving their bottom line by both reducing costs and increasing customer retention. (Read Paul’s full Bio)