In This Issue
Dodging Disputes and Disaster
Protect Your Customers, Protect Your Business
Service Providers & PCI DSS
ProPay News
Save the Date!!
Quick Links

Join Our Mailing List!

Happy St. Patrick's Day!  It's generally a day to celebrate good luck  and cheer.  Unfortunately,  when it comes to protecting our businesses, relying on the luck of the Irish is not a viable strategy.  Our businesses face challenges from a variety of fronts - regulatory complexities, customer disputes, competitive products and services, and sometimes adapting to new technologies and market demands. Being able to respond to these challenges quickly is a vital component in maintaining a successful business.  


Our newsletter this month is focused on tips for protecting your business.  How can a company avoid customer disputes on payment card charges?  What can I do to protect my consumers' data, and thereby my company's reputation and livelihood?  How can I engage third party service providers in a way that meets my needs without introducing additional liability. All of the questions are addressed in the articles below.  As always, please feel free to forward this newsletter to anyone that you think might be interested. 


In the tradition of St. Patrick's Day, we'd like to leave you with the following:

"May you have warm words on a cold evening, a full moon on a dark night, and a smooth road all the way to your door." 

-traditional Irish toast

The ProPay Team
Dodging Disputes and Disaster
by Nicole Kidd, Resolutions Manager

The word "dispute" often has a negative connotation. Look it up in the dictionary and you'll find words such as "quarrel," "argument," "a heated discussion," and "disagreement" as synonyms. For merchants processing credit cards in the business world, disputes can make or break their business. Hopefully after reading this you will have a better understanding of the different types of disputes and the most important factor - how to protect your business.


Let's begin with the understanding that disputes are merely a part of doing business and the chances of encountering one during the duration of your business are pretty good. Whether or not the dispute will make or break your business depends partially on you, the merchant.  What type of documentation are you obtaining for the sale? Are they face to face transactions or purely online based? Are you shipping product or giving the customer their items in the store? Cardholders have a broad time frame (generally six months, but sometimes up to a year depending on the issuer of the card) in which they may issue a dispute through their card issuing bank. There are two different types of disputes to be aware of: possible chargebacks and chargebacks. Possible chargebacks, also known as retrieval requests, are less severe than a chargeback because it's merely a customer questioning the charge. No funds have been moved, it does not reflect on your merchant account, and the time frame to respond and resolve is shorter. Chargebacks involve the exchange of funds, impacting your merchant account, additional fees and a lengthier time frame to resolve. Now that you know what they are, how do you protect yourself?


So while chargebacks and retrievals may still occur despite your best efforts to prevent them, you can be prepared to issue a rebuttal (properly known as a representment) to the card issuing bank with solid documentation supporting the charge in your favor. Remember, it's always better to be prepared for a possible disaster than to be left picking up the pieces.  



Protect Your Customers, Protect Your Business

by Dr. Heather Mark, PhD, SVP, Market Strategy

It is easy to see the growing morass of data security and privacy regulation as a burden on your organization.  However, the protection of consumer information also protects your business.  For companies that process payments, it is common to focus on the protection of this data to the exclusion of all else.  It is important to note, though, that the categories of data that must be protected are far broader than simply payment data.  The question that many companies ask is "What data must be protected and how should I protect it?"


The data that must be protected is defined as Personally Identifiable Information, or PII.  This is less commonly referred to as Non-public Personal Information (NPI) as well.  Most states and their regulations define PII any information that can be used to uniquely identify an individual.  Often, this can be defined as the first name or initial and last name in conjunction with any of the following elements: 

  • Social Security Number
  • Driver's License or Government ID number
  • Financial Account Number (sometimes this must include password or PIN as well) 

Some laws have more strict guidelines, including information such as birth date, mother's maiden name, electronic routing (email) information, and even biometric information.  The key is that this is all data that can be used, either on its own or with two or more elements combined, to uniquely identify an individual.


It is equally important to remember that protecting data has to do not only with the technical and physical safeguards that are put in place to prevent someone from stealing the data.  Companies must also constantly examine the ways in which they use, and sometimes share, that data.  If a company shares data with a third party is that disclosed to the consumer.  Does the consumer have a choice as to whether or not that data is shared with a third party?  Is the company using the data in a manner that is consistent with the consumer expectation?  All of these questions must be considered when determining whether the company is adequately protecting their consumers' data.


Why is the protection of this data so important?  Very simply, it matters because your business may depend upon it.  According to a recent Ponemon Institute survey, even the smallest business may have significant liability for any misappropriation of consumer data.  In the event of a data breach, the average cost per record for which a company is liable is $214.  That is a $10 increase over the reported cost for the previous year.  Even more disconcerting, according the Ponemon Report, "it's not always the bad guys doing bad things that cause data breaches.  It's often your best employees making silly mistakes.  Negligence is still the leading cause of data breaches at 41 percent."


For more information on what is required of businesses and how to protect your customers, visit the Bureau of Consumer Protection Business Center.


Service Providers & PCI DSS...know the rules (part 3)

by Chris Mark, EVP Data Security & Compliance

This subject seems to come up again and again so it is worth mentioning again.  There are still some 3rd party service providers that refuse to adhere to the card brand rules.  These rules include complying with the PCI DSS and registering with the card brands (Visa, MasterCard).  The end result is that this exposes merchants to significant risk if the 3rd party either has a data breach or is found non-compliant.  PCI DSS requirement 12.8 mandates that merchants only use compliant 3rd parties.  Additionally, Visa and MasterCard require registration of all service providers.   If you are a merchant and using the services of any 3rd party (such as ProPay or backoffice provider) ensure they are compliant with the card brand rules (like ProPay).  


Visa defines their 3rd parties as Third Party Agents or TPSs.  As stated on Visa' website:


"A TPA is an entity, not connected to VisaNet, that provides payment-related services, directly or indirectly, to a Visa client and/or stores, processes or transmits Visa account numbers."


It then states:


"Agent registration is required for all entities performing solicitation activities and/or storing, processing or transmitting Visa account numbers for Visa clients (or on behalf of their merchants). "


Finally it answers the question as to whether "TPAs (are) required to be PCI DSS compliant?"


"Yes.  Any TPA that stores, processes or transmits Visa account numbers must validate PCI DSS compliance with Visa every 1 months."


In short, if you are using a 3rd party company (processor, backoffice provider etc.) they must 1) be registered with Visa and MasterCard 2) independently comply with the PCI DSS and 3) validate directly with Visa and/or MasterCard every year.  If they don't follow these rules your company could be at risk.



Introducing the ProPay JAK



ProPay JAKProPay is excited to announce the ProPay JAK™- a simple, secure and very affordable card reader device that plugs into the audio jack of a Smartphone.  

When available, ProPay JAK will work on the iPhone 4, 3G, 3GS, iPod touch, and iPad. Work is moving ahead quickly to support the Droid, Droid II, Droid X, and Blackberry phones.  


With the ProPay JAK, you can: 

  • Process credit and debit cards in real time on your Smartphone wherever you have data coverage.
  • Store the card data securely (encrypted) on your Smartphone if you don't have data coverage for later processing.
  • Put the card data securely "On File" with ProtectPay for future billing.
  • Send an email receipt to the cardholder. 



In addition, the ProPay JAK has some key advantages over other audio jack swipe devices, including: 


  • Security - The ProPay JAK immediately encrypts the magstripe data at swipe ensuring sensitive payment data cannot be compromised by malware on your phone.
  • Dependable Reads-The ProPay JAK reads up to 3 tracks of information with a single swipe, in either direction, providing superior reading performance.  
  • Convenient Attachments-The ProPayJAK comes with attachments that secure the reader to your mobile phone or iPad so it doesn't spin around, wiggle, or risk damaging your audio jack port.
  • Simple, Non-Variable Rates - You know what your rates are upfront and don't have to worry about qualified or non-qualified rates and downgrades. Below are the swipe rates for ProPay JAK:


Premium             2.69% + $0.25  


Premium Plus      2.59% + $0.25  


Platinum             2.49% + $0.25   


The best part is that ProPay JAK works seamlessly with existing ProPay accounts and reports. 


The ProPay JAK will be available in early April. Look for more details very soon about the ProPay JAK. ProPay is leading the way in the world of mobile payments. 


Save the Date!!

Speaking Events

Chris Mark, EVP Data Security & ComplianceTAUG

April 4, 2011 @ Taug2011, Vancouver, BC, Canada

PCI Compliance & PA DSS - What Now?

Visit the site! 




Dr. Heather Mark PhD, SVP Market StrategyMobile Banking

June 6, 2011 @ The 5th Annual Mobile Banking & Emerging Applications in          New Orleans, LA.

Visit the site! 




DISCLAIMER:  ProPay, Inc. provides this newsletter only for general information or educational purposes.  Nothing herein should be relied upon without seeking the advice of an attorney or other professional appropriate to the subject matter.  While ProPay, Inc. strives to ensure information in this newsletter is accurate and current, ProPay, Inc. does not guarantee or represent that the information is correct, complete, or up-to-date; nor shall ProPay, Inc. be liable for any indirect, incidental or consequential damages (including lost data, information or profits) sustained or incurred in connection with the use of, operation of, or reliance upon any information contained in this newsletter.