Every so often, I’ll have an e-commerce client ask me “Will I ever be able to accept PIN-based debits online?” Although many companies have tried to devise a solution, I never seriously believed it would happen. After all, how could a consumer enter a 4-digit PIN from a personal computer and still meet the high encryption standards required for Payment Card Industry (PCI) compliance? Nevertheless, the topic is resurfacing again, and online PIN debits may finally be just around the bend.

The primary reason e-commerce merchants want to accept PIN debits is the savings. As I explained in this article I posted several months ago, brick-and-mortar merchants with high-dollar average sales can save considerable amounts by requesting PIN numbers from customers. But the PCI rules requiring that the debit card be swiped through a magnetic card reader and that the PIN number be encrypted have kept online merchants from participating.

In her June 2009 article for Transaction Trends magazine, Julie Ritzer Ross profiles software and hardware developers that are on the leading edge of finding a workable solution. PaySecure, from Atlanta-based Acculynk, is currently being tested by some of the largest players in the debit network business: ACCEL, NYCE, and Pulse. PaySecure’s software will place a floating “keypad” on a shopper’s screen, receive the PIN, scramble and encrypt it, and then pass it along to the appropriate network. Hardware developer, HomeATM ePayment Solutions, recently introduced Safe-T-PIN, a small and inexpensive USB card reader that allows consumers to swipe their own credit cards while shopping online. It’s going to be the combination of these, or similar, software and hardware components that eventually makes online PIN debits a reality.

But before you rewrite the payment options in your e-commerce shopping cart, keep reading. Before credit card processors will begin supporting these solutions, they’ll need to feel pressure from their merchants. And for merchants, the pressure will have to originate with their customers, since it’s the consumers who’ll purchase the hardware. So, in the end, it’s going to depend on when and how widely the American consumer adapts to this new technology.

You’re probably asking, “Why would consumers want to purchase this equipment anyway?” After all, it’s the merchants who will reap the cost savings, not the consumers. According to Ross, PIN debit payments offer shoppers “perceived security.” Among the 550 shoppers who participated in the testing of PaySecure’s software, a whopping 79% of them said they felt more secure shopping online with their PIN than without it. Economic conditions may be another force that drives consumers to adopt online PIN debits. In a time when many shoppers lack the ability or the will to pile more debt onto their credit cards, debit cards are becoming their preferred payment methods. The thought of compromising their debit card (in effect, their entire checking account) may spur the acceptance of online PIN debits by consumers.

When this technology finally does make its way into the homes of America’s shoppers, it will be a day for merchants to celebrate. It’s rare that something comes along that benefits business owners more than consumers or credit card companies. And with the struggles of the past year, it’s about time merchants caught a break!

I’m happy to provide this information free of charge.  If you found it helpful, please subscribe to my RSS feed so you’ll be notified of future posts.  You can also follow me on Twitter, where I regularly post short tips.  I promise to never spam you or pressure you.  Please forward this to your friends in business, and feel free to rate my post or leave a comment so I’ll know how to improve. Thanks!

If you’re involved with e-commerce (and you don’t live under a rock), then you’re probably aware that Authorize.net, the biggest, and arguably the best, payment processor around, experienced a failure of Biblical proportions this past Friday morning.  A fire in their Seattle, WA data center brought them (and the 238,000 Internet businesses that depend on them) to their knees.

For the record, I’ve been a fan of Authorize.net for years.  I used another processor in 2000 while first getting started in e-commerce, but we soon changed to Authorize.net.  Their service, features, and cost were (and continue to be) superior to their competitors.  I have many e-commerce clients today who rely on their payment gateway.  That being said, Authorize.net dropped the ball on Friday.  What remains to be seen is whether they will fumble or retain possession of the ball.

If your e-commerce business uses Authorize.net, you were certainly affected and probably lost money as a result.  So that your money wasn’t lost in vain, let’s look at what happened and try to learn a thing or two from Authorize.net’s mistakes:

1. Have a backup plan that includes worst-case scenarios, and test your plan. I don’t know exactly what Authorize.net did wrong.  I don’t know their business any more than I know yours. But I do know that when they shifted their traffic from Seattle to their backup data center(s), something didn’t jive. It may have been due to increased traffic resulting from millions of holiday promo emails. It really doesn’t matter. They knew it would be a busy weekend, and they weren’t prepared to handle what happened.
2. Have a communications plan, before you need it. If your business is dead in the water, how will you notify those who depend on you? How will you answer their questions? And, perhaps most importantly, how can you be sure your customers will believe you instead of rumors circulated by others? I was in a meeting with a large e-commerce client when I first heard about the outage. He read a Tweet about it online. His business website was down, and the owner learned why through Twitter. That’s amazes me! Authorize.net signed up for a Twitter account, but not until about 11:00 a.m. EST Friday. Within minutes, the Authorize.net Twitter account had more than a thousand subscribers awaiting updates. Authorize.net used Twitter to disseminate information to their merchants, and it was the only reliable source of information throughout the weekend.  I’m still getting updates via Twitter, including one a few minutes ago (7:30 p.m. EST) announcing they are finally back up to full speed.
3. Answer the phone! I understand that most of us don’t have 238,000 customers calling at the same time. It’s not possible to answer that many calls right after disaster strikes.  But I spoke to many merchants today (3 days after the fact), and none of them had been able to get through to Authorize.net.  Make every effort to answer your phone, even if you know the caller is going to be angry.
4. Post updates on your website. Many of my clients were unable to log in to their Authorize.net accounts. That’s understandable considering what happened. But their homepage was up throughout the weekend.  Knowing that businesses across the country were down, Authorize.net could have at least posted a simple message on their homepage. Any news would have been better than no news at all!
5. Don’t pat yourself on the back while your clients are still hurting. This one should be obvious; in fact, I’m still shocked that Authorize.net had the guts to do it. Driving home from my client meeting at about 3:00 pm Friday, I received another Tweet from Authorize.net.  The author was congratulating everyone on “the team” for the outstanding job they were doing.  There was no mention of how their downtime was affecting businesses. Next time, Authorize.net, apologize for your problem before congratulating yourself for fixing it!
   
6. Don’t make promises you can’t keep. Authorize.net Tweeted all weekend about how this was finally working and how that would be working soon.  More often than not, they were wrong and had to retract statements. Remember that your clients are making promises based on the promises you’re making to them. If you’ve already let them down once, down let them down again.

As of 5:00 p.m. EST Monday, Authorize.net was still having problems (three and a half days after the event occurred.) Shopping carts were still timing out, many shoppers were still unable to order, and Authorize.net’s website still posted no information whatsoever. Please learn from this, Authorize.net! Your merchants are watching.

I’m happy to provide this information free of charge.  If you found it helpful, please subscribe to my RSS feed so you’ll be notified of future posts.  You can also follow me on Twitter, where I regularly post short tips.  I promise to never spam you or pressure you.  Please forward this to your friends in business, and feel free to rate my post or leave a comment so I’ll know how to improve. Thanks!

For years, I’ve been a supporter of the Address Verification Service (AVS), especially when it comes to e-commerce. I’ve seen it protect merchants from thousands of dollars in loses. As a former e-commerce business owner myself (co-owner of 2BigFeet.com), I used it to identify and prevent countless fraudulent orders that would have otherwise resulted in chargebacks. But too often, I hear stories from business owners about a time when AVS flagged an order from a “good customer.” As a result, some merchants have lost faith in the system and have abandoned it altogether. Just because of one or two bad experiences, these merchants willingly risk accepting bogus orders (and certain chargebacks) rather than risk angering good customers with false positives.

Most e-commerce businesses use AVS to reject fraudulent orders before they ever reach your fulfillment department, so you typically won’t know how many were blocked. And, since criminals don’t usually call and complain about their rejected orders, the false positives receive a disproportionate amount of attention. That being said, I’ll agree that AVS is not perfect. But many of the problems that legitimate customers experience are the fault of card issuing banks, not the AVS system itself. If you’ll follow the steps outlined in this post, you can reduce your false positives to a manageable number and benefit from the added security AVS offers.

1. If your customer’s order is rejected, she’s already going to be disappointed. First, and foremost, don’t allow your shopping cart to make the situation worse! The goal here is to have the affected customer call your customer service number immediately. Some carts use default messages that were obviously written by cold-hearted programmers, not warm-hearted customer service professionals. If you don’t know what message your rejected customers are seeing, put yourself in their shoes. Place a test order using a bad address. If the resulting message could make customers feel at fault or ignorant, change it. Avoid words like “mistake.” (Men, if you’re not the warm, fuzzy type, get a woman to help you.) Make sure your customers believe you really want to help fix this minor issue, or they’ll leave without giving you the chance.
2. Often, the customer will have already called the card issuing bank prior to calling you. If the bank told the customer the charge was approved (indirectly placing the blame on you), the customer may already be irritated when you answer the phone. You should understand, and be prepared to explain, that all orders must be approved by both the card issuing bank and the payment gateway. Since the bank only verifies the customer’s available credit, it will approve most orders. But your gateway checks addresses using the AVS system. And if the gateway is not satisfied with the AVS results, it will deny the order (even if the bank has already approved it.)
3. When the customer calls, apologize for the inconvenience. Explain that the problem could be the result of a bank error. Assure her that you’ll do everything possible to get the order approved. Finally, ask the customer if she has changed addresses within the past five years. Although this may sound like a strange question, it is very important. If the customer ever received her credit card statements at another address, regardless of how long it’s been, ask for that address. Beg for it, if necessary, even if she assures you that she’s shopped elsewhere using her new billing address. (Due to different merchants, different payment gateways, and different AVS thresholds, your business could refuse an order that another business might have approved.)
4. Try the order again, using the old billing address in place of the newer address. For reasons I don’t completely understand, inserting the old address corrects the problem about 75% of the time. It’s my theory that some banks’ computers use one set of address fields for mailing monthly statements and another set of fields for AVS. I suppose that when customers move and notify their card issuing banks, the banks may update the fields used for statements and forget to update the AVS fields. I haven’t been able to confirm this, but it makes sense. Using this approach, I’ve seen orders approved using addresses that were 5 years out-of-date!
5. If this doesn’t work, you should apologize and ask the customer to try another credit card. If the customer doesn’t have another card, you’ll have to choose to either a) disable AVS long enough to force the order through, or b) turn the customer away. In my seven years of e-commerce management, during which we approved tens of thousands of orders, I could count on one hand the number of times I had to make this choice.

Hopefully, this procedure will help you get more out of the Address Verification System. Keep in mind, though, that AVS does have other limitations. AVS usually will not verify customers with billing addresses outside the U.S. And if your customer is using a card issuing bank located outside the U.S., AVS may experience problems there, as well. Otherwise, you should be able to count on the AVS system to work nearly 100% of the time.

I’m happy to provide this information free of charge. If you found it helpful, please subscribe to my RSS feed so you’ll be notified of future posts. You can also follow me on Twitter, where I regularly post short tips. I promise to never spam you or pressure you. Please forward this to your friends in business, and feel free to rate my post or leave a comment so I’ll know how to improve. Thanks!

One of my larger e-commerce clients called the other day. This merchant has been with me for about a year. The owner originally signed with me not because of the savings (and yes, there were savings), but because of the experience I had as a prior Internet business owner. Because this merchant sells high-value items, she enlisted my help with fraud prevention, and over the past year, we implemented a series of safeguards to cut down on fraudulent orders and the resulting chargebacks.

When I answered the call, it wasn’t the business owner on the phone. It was one of her newer employees. The young man (a CSR) had spent the better part of the day trying to complete a $4,000 order for a customer. Authorize.net had rejected the customer’s card numerous times, despite the card issuing bank’s insistence that it had authorized every transaction. The CSR was confused and wanted to know if I would help him “force the order through.”

After a few minutes of Q&A, the rest of the story unfolded. This customer had first contacted my client via phone, but he delayed placing his order for several days. Now that his card was being rejected, the customer insisted that the CSR keep trying, using a different variation of the address each time. The customer was also insistent that his order be delivered faster than the website’s estimated normal delivery time. So… the customer was casual at first, but now he was in a rush? My “uh-oh alarm” began to beep.

I answered the CSR’s question about “forcing the transaction” by asking a question of my own: Would the CSR accept responsibility if the transaction turned out to be fraudulent? Of course, he answered “no.” I explained how the website’s security measures worked, and why his boss wanted them in place. I told him that although it was possible to turn the features off long enough for the card to be approved, I couldn’t recommend it. I also pointed out that it can be a sign of trouble when customers are impatient or make unreasonable shipping demands.

Drawing from my own past experiences, I named several things that can cause similar problems. For instance, if the AVS match requirements are set too high, the gateway can mistake good orders for bad. Also, some card issuing banks will update a cardholder’s change of address just enough to get their statements delivered, but then leave the old address visible in other fields used by AVS. I explained to him how he could rule out those possibilities. Other than that, I reminded him that the security features were there for a reason, and I suggested that he allow them to do their job.

In the end, the customer turned out to be legitimate. When the CSR explained the situation, the customer wired the funds to the merchant. We never found out exactly why Authorize.net had blocked the authorization. Regardless, the security features continue to work 99% of the time. And the merchant remains confident in her safeguards, even it they do complicate an order from time to time. At least problems like this don’t result in chargebacks.

I’m happy to provide this information free of charge.  If you found it helpful, please subscribe to my RSS feed so you’ll be notified of future posts.  You can also follow me on Twitter, where I regularly post short tips.  I promise to never spam you or pressure you.  Please forward this to your friends in business, and feel free to rate my post or leave a comment so I’ll know how to improve. Thanks!

If you own or manage an e-commerce business, and you’re not using the Address Verification Service (AVS) to help validate orders, you’re increasing your exposure to chargebacks. Like most security measures, AVS is not perfect. For instance, it only works with participating banks, which limits its effectiveness overseas. But, at the very least, it can be used to separate your customers into two broad groups: those who are almost certain to be legitimate and those you should give a second look.

Take a few minutes to read this article I posted at the Bank of America forum for small business owners. The article describes the risks you take if you either fail to use AVS on your commercial website or you choose to ignore the warnings received from AVS. This is the true story of how my own Internet business, 2BigFeet.com, ignored the signs and lost a lot of money. If you’ve never heard of AVS, or you’re just not using it now, take a look. Hopefully, it’ll help you avoid the hard lesson we learned.

And one last thing… there is no cost to credit card processors for AVS. In fact, your credit card processor should offer it for free and encourage you to use it. After all, reducing chargebacks benefits both processors and merchants. If your processor is padding their profits by charging an AVS fee, whose interests are they protecting?

I’m happy to provide this information free of charge.  If you found it helpful, please subscribe to my RSS feed so you’ll be notified of future posts.  You can also follow me on Twitter, where I regularly post short tips.  I promise to never spam you or pressure you.  Please forward this to your friends in business, and feel free to rate my post or leave a comment so I’ll know how to improve. Thanks!

To do business on the Internet and accept online credit card payments, e-commerce merchants need both a merchant account and a payment gateway. The gateway secures the transactions and collects CC authorization numbers, guaranteeing that you (the merchant) will receive payments from your customers’ credit cards. The merchant account works with an acquiring bank to convert authorizations into cash, depositing the money directly into your business’s bank account. But does it matter which of these two providers you contact first? Yes, it does matter (unless you don’t care about saving money, and if that were the case, you wouldn’t be reading this!)

Payment processors (merchant account providers) usually act as resellers for payment gateway providers, and vice-versa. So either one can usually provide you with the other’s services. But since most credit card processing costs (discount rates and per-item fees) are paid through the merchant account, you can save more money if you start by shopping for a payment processor who offers great rates. Once you’ve found your processor, let them establish your new payment gateway (with Authorize.net or another reputable gateway provider.)

Recently, I was contacted by a fairly large e-commerce business with first-year sales of about $4 million. They’d been in business for just under one year. In their haste to go live, they’d accepted a bad rate plan from their local bank. After a successful first year, they were ready for a better deal and better service. Because they’d been using Authorize.net since the beginning, they contacted Authorize.net and asked for help finding a new merchant account. Authorize.net was more than happy to oblige. Soon, the business received contracts for a new gateway (from Authorize.net, of course) and a new merchant account (from an Authorize.net “preferred partner.”) They found me just before signing the contracts. Not only were the discount rates and fees still too high, but the Authorize.net fees were high, too! I was able to set up a new merchant account and a new Authorize.net account, saving the merchant an additional $1,500 per month.

Based on my experience as an e-commerce business owner, Authorize.net is the best payment gateway available. I recommend them to nearly all my e-commerce merchants. But if any processor or agent insists that you use their preferred supplier, hold onto your wallet! Suppliers typically pay fees to be listed as “preferred”, and that usually results in higher costs for you, the merchant.

If you think you may have been the victim of an inside deal like the one I described, call me. I’d be happy to take a quick look at your statement. If it turns out that your gateway and merchant fees are reasonable, I’ll tell you. But if there’s room for improvement, I’ll tell you that, too.