Credit Cards: Merchants Beware

"Man. I don't know why she was doin' what she was doin', but man, that lady , well, boss, she was acting really weird, boss."

The Manager was giving the clerk about ten percent of his attention.

Boss! I swear boss. You gotta check this out. She was weird boss. I was ringing up her stuff and then, like she owned the joint, she picked up that ATM button thingy and was staring at the label on the back side."

The manager didn't even look him in the eye but acknowledged him with a shrug of the shoulders.

"I mean it boss, you gotta check this out. She read the label and said we shoulda been more careful. Something about checkin' out the company before we bought their pin pad. What's with that?"

The manager looked up over his eyeglasses from the register readings.

"That's all she said?" the manager asked. "Nothin else? Did she pay for her stuff?"

"Yup. She even used her debit card and put her numbers in the pin pad."

"Hmm," the manager muttered as he set his clipboard down.

He walked to the counter, lifted the keypad and read the label on the underside. All he found was the name of a company and a toll free number for Customer Service. He set it back down and went back to the register to complete his readings.

"Nothin' there that I can see. Nothin' to worry about."

He didn't know what I know. That store manager was walking away from an insidious risk management issue.

He had contracted for credit and debit card processing services with the same outfit the merchant next door was using for his store. How bad could it be? They both got their processing service for a great rate. They paid the lowest price available for the equipment. They got free installation and free customer service. The processing services guy even cut the store a break on interchange by putting some of the surcharge income back in to the store account. Most of the time, the store was making a little money. It was a win-win situation.

It never occurred to these merchants that they were being exposed to theft. They exposed their bank account, their personal information including electronic banking information and electronic access to an entity they probably couldn't name. Afterall, it stood to reason that any company conducting business in credit and debit card processing had been investigated. If they were in business at all they must have received the seal of approval from whatever government office oversees credit and debit card processing.

With all the bad press in recent years and beefed up security and Dateline exposure and T-DES Pin encryption and so on and so forth; how could anyone conduct 'that kind' of business without being clean? It's only logical to make that assumption.

It shouldn't be.

I'm the woman who is always picking up the pin pad and checking out the underside. It's an annoying habit, I know, for bewildered but disinterested merchants like the one I spoke of earlier. They don't know what I know. I'm checking the underside of the pin pad for the name of the company I once worked for.

That pin pad poses no threat to me, as a consumer with a debit cad, but it is most assuredly a risk management issue for the merchant.

I was in the payment processing or electronic transaction processing industry for a few years. The confidentiality of merchant processing information was a joke. In other words, there was no confidentiality. Every single employee, family member, friend or foe visiting that office had access to documents disclosing bank account and credit card numbers of the individual merchant owners contracting business with them.

Let me repeat myself. Merchant bank account, credit card, social security, driver's license, and telephone numbers were exposed and accessible on documents scattered about the office and non-secured computer files on the intranet server.

Files containing personal information for merchants dating back almost two decades were kept in empty desks where employees once sat in now empty offices occasionally in use as playrooms for visiting family and children. One particular family member who had recently been released from prison had unlimited access to merchant files.

Anyone could wander freely into just about any area in the office and find merchant information stacked in storage boxes crammed in storage closets, collecting dust in the warehouse, or stacked to the ceiling and crumbling under their own weight in the hallways. The computer room was overflowing with a mish-mash of old marketing materials and merchant forms and files staged for eventual destrustrction that was avoided due to cost or inconvenience.

Merchant files contain an initial application for credit and debit card processing. On that application, merchants provide a never-ending disclosure of personal and business information including voided checks and copies of Driver's License and Social Security cards. The information was obtained and originally used for conducting background checks, credit checks, OFAC screening and Homeland Security checks to assure the card associations and banking institutions of the merchant's trustworthiness.

The merchants who have credit and debit card processing services for the customers have been scrutizined under a proverbial microscope and are reasonably considered of NO THREAT to the public.

Unfortunately, the company establishing the electronic payment processing service for the merchant, in this case, is most assuredly a threat to the merchant. They are not a threat to consumers. They are a threat to the merchant.

MERCHANTS BEWARE: Just as thoroughly as the processing company is researching your integrity and financial solvency before they will approve you for credit and debit card processing, you must be pro-active and do the same. Do not assume that your private and business information will be kept in confidence without proving it out for yourself.

The majority of payment processing equipment and processing providers are of the highest integrity and with a simple and innocent inquiry you can be assured that you are not exposing yourself to risk. However, there is that small percentage of companies that will stumble and stammer all over themselves as they attempt to dodge your inquiries.

Merchants can and should:

* Request a list of references from anyone trying to sell processing equipment and services. That list of references should include merchants currently using their equipment and/or services. Stop the conversation if they hem and haw about producing such a document. Follow up on the references. Request additional references if you do not feel satisfied.

* Request documentation or information about the actual processor or processing company prior to completing any documents. That includes not completing their application. If the provider is reluctant to cooperate or refuses to cooperate do not proceed.

* Request a site inspection of the provider's office if it is feasible. While you are there you should be watching for unsecured folders or paperwork on desktops or conference tables. Consider the care with which they control spoken or electronic information gathering. Are other merchant accounts being discussed in your presence? Can you see the application or processing paperwork on desktops outside of a folder or exposed on a computer screen? Are they openly concerned for your privacy?

* Request a disclosure of the provider's risk management procedures. You should be specifically interested in the management of paper and computer records. Ask them to explain how your information will be kept private. When making an onsite visit, ask them to demonstrate their document disposal system.

As I mentioned, I worked in the industry and was appalled at the arrogant disregard for the merchants' personal and financial information. This side of the story has seldom, if ever, been exposed. Consumers are concerned about electronic payments. Judging by the number and frequency of national news agency reports on the topic, the American consumer has been well assured of their safety. We have been alerted to various wide-spread security issues with ATM machines, debit cards, credit cards, social security numbers and so and so forth.

I have never heard it mentioned that merchants can and should expect the same level of security for themselves. It is well past time for merchants to be aware.