Practical Ecommerce

Credit Card Processing Sucks

Credit cards are cool. They make online shopping possible. But credit card processing, the system by which money moves from a customer to a merchant, totally sucks.

It sucks for three reasons: cost, liability, and security.

Let’s outline each in their stunning absurdity.

Credit card processing costs a fortune! Typical fees range from 2.5% to 3.5% of every transaction. That’s nuts, y’all!

Why should the credit card company collect 10 times as much money on a $10 transaction than on a $100 transaction? They’re simply processing data and there is no inherent cost difference in processing one transaction over another transaction. This is reason #1 that credit card processors sucks. Unfortunately, there is no great alternative at this time. So, we have to live with the cost. But, that’s the least of your worries.

However, it’s still interesting to think about why the fees are so high. I don’t work in that industry, so I’m only guessing, but I suspect the percentage-based fee is used to cover the cost of rewards, points, and miles to their customers (the cardholders).

The other “argument” I’ve heard for the exorbitant fees is that the credit card company’s liability increases as the dollar amount of a purchase increases. Nonsense! The credit card company protects their customers from fraud, but not at their expense. No, no, no! Instead, if fraud occurs, they recover the funds from whatever merchant allowed the fraud to take place. That could be you, my friend!

This is reason #2 that credit card processing sucks: liability.

Let me break it down. Let’s say someone steals a credit card and uses that stolen card to buy $500 worth of merchandise on my website. A month later, I’m notified that it was fraud. The $500 is removed from my account and the legitimate cardholder is reimbursed, but so is the credit card company! I’m out $500 plus the cost of the merchandise plus the cost of shipping plus a “chargeback” fee for the credit card company’s “inconvenience”. I’m completely screwed and everything is tilted in favor of the credit card company.

To make matters worse, there are no decent tools out there for a small business to completely eliminate this type of fraud. It’s simply a cost of doing business, I suppose. But it’s completely absurd that the merchant is left holding the bag because the credit card industry created such an insecure product. It’s way too easy for cards to be stolen and it’s way too difficult for online merchants to determine if a transaction is fraudulent.

The credit card company’s provide us with no effective tools to help determine if fraud has taken place. We get AVS (the address verification system) which is basically useless and the card security code (the 3-4 digit code on the back of the card). Are you kidding me? These two services suck.

Let’s start with AVS. This system is supposed to verify whether the billing address entered by a customer matches the billing address that the bank has on file for that credit card. Wonderful, right? No. It’s terrible because not every bank participates, banks often don’t have a customer’s latest address on file, and it’s too easy for hackers to obtain this information. AVS is essentially useless.

What about the card security code? Well, what’s so secure about a code written on the back of a card with all of the other crucial data? You wouldn’t write the combination to your safe ON the safe, would you? Every time you give your credit card to a waiter, they have unfettered access to this information. Nice “security”, guys.

As a merchant, we’re left to try to figure this all out. The credit card processors provide us with “tips” (inane PDFs with stellar tips like, “Be careful!”) Seriously, their main tip is to only ship an order to the AVS-verified address of a cardholder. That sounds fine in theory unless your customer wants to ship to a friend, their business, a family member, a second house, etc. You’ll kill your business with a policy like that. So, as a business owner, you take 100% of the risk AND pay the credit card company for the pleasure of taking the risk.

That’s reason #2 that credit card processing really sucks.

But the most horrifying aspect of credit card processing is security. The acronym PCI should send you running for cover. It stands for Payment Card Industry and they have a “security council” whose job is to ensure that inherently insecure credit card information isn’t compromised by the merchants who are forced to use an outdated system.

The PCI council has a 60-page-long checklist of things every merchant should do to secure their business from hackers. They certify companies to provide security analysis and training to merchants in order to protect themselves from hackers. As a merchant that deals with credit cards, you must be PCI-compliant.

Becoming PCI compliant is not easy and it requires annual or quarterly scans by an ASV (approved software vendor). That’ll cost you a few hundred a year (if not more).

But even though you are PCI-compliant, you’re still vulnerable to massive fines and penalties should the card issuers (VISA, MasterCard, etc), at their discretion, determine that your business was hacked and credit card information was stolen.

If one of the credit card companies even suspects that card data was compromised from your business, they give you an ultimatum: Hire a PFI (which stands for PCI Forensics Investigator) to determine if, how, and to what extent your business was compromised. The starting price for a PFI is about $10,000! And when the PFI is done, they submit a report to the card company which they use to determine the amount of fine they’re going to assess!

That’s reason #3 credit card processing sucks and it’s the most insidious.

If you’re starting to feel that the entire process is rigged against the merchant, you’re right!

There isn’t much you can do about #1 and #2 (until a whole new paradigm of direct transfers is created and credit cards are eliminated). But, you can reduce your exposure to #3 down to zero. And because #3 represents an open-ended liability, it’s the most important.

The solution?

JavaScript. Yep. JavaScript! If you employ a credit card processing system on your website in which card data is transmitted to your processor via AJAX (Asynchronous JavaScript and XML), your website never sees credit card data. You eliminate the need for PCI-Compliance entirely. Your liability is zero.

There are possibly several companies that offer such a processing solution, but the first I found was Stripe.com.

I suggest switching to Stripe or a company like them immediately. You won’t have to pay for quarterly PCI-compliance scans anymore. Your liability drops to zero. You can drastically lower your cyber liability insurance coverage (which should have in place if you don’t!). And you can sleep easier at night.

Now, if we can just figure out how to deal with reasons #1 and #2…

Get the Practical Ecommerce RSS feed

Comments ( 10 )

  1. Ben Dwyer June 20, 2013 Reply

    You make a few good points, but avoiding PCI fees isn’t quite that simple. PCI validation is not a card brand mandate for level four merchants (most merchants are considered level four).

    The card brands have left PCI validation to acquirers, and acquirers handle validation in several different ways. Some charge a "PCI Fee" and do nothing to support merchants, others charge a fee and offer scans and such, and other ignore PCI all together and charge nothing.

    In the first two cases, it doesn’t matter if a business is technically PCI compliant — it will have to pay a PCI fee if its acquirer dictates that one be paid.

  2. Jamie Salvatori June 20, 2013 Reply

    Ben – Unfortunately, your statement illustrates just how insane the whole system is! Nobody (especially merchants) can understand its intricacies!

    It’s a 70 year old system that is inherently broken. It’s too easy to hack and desperately needs to be replaced. It’s a joke that we, as merchants, are put entirely at risk for a system that the card issuers have not yet found a way to make secure.

    That being said, I’m fairly certain that your website never touching credit card data makes PCI compliance a non-issue. Hit up the guys at Stripe for more details, but they’re very clear about that fact.

  3. cdamron June 21, 2013 Reply

    Jamie I’ve worked in the credit card industry for 20 years and your right it sucks. There are a few things that you wrote are stretched but for the most part everything in here is correct. The fact of the matter is merchants have a wobbly leg to stand on and at the end of the day at any point it can be kicked out from under them. Part of the problem is these massive breaches that you hear about. When a big breach happens very little of those costs are recovered by the merchant. Thankfully over the next few years our system in the US is being replaced with chip cards like they already have in Europe. At that point we will all have chip cards with a pin which will hopefully eliminate a lot of the fraud and hopefully drive down costs. Now whether merchants really see pricing go down and whether we see major industry changes or not comes down to the all mighty Visa.

    And as for Stripe I know them well and right now they have a good setup. At least for now! With them taking on 100% liability we’ll have to see if they can sustain that. Fraud happens everyday and all it will take is for one case to mess the entire apple card.

    Thanks for posting this Jamie I love your straight forward analysis. Our industry is a crazy industry which will probably not change anytime soon, but it is what it is and unfortunately we all love our credit cards…

  4. Richard Stubbings June 22, 2013 Reply

    I must say that it is certainly different here in the UK. Card rates are typically 1.2% -2%, and a fixed 0.10 – 0.25 for debit cards. The verified by visa system passes the liability to the banks away from the merchants. PCI compliance can be cheap and not need security scans if you use a gateway hosted form.

    The credit card company’s liability certainly does increase as the transaction value goes up. At the end of the day the credit card company HAS to refund the customer if there is a fraudulent transaction, and then obviously tries to get the money back from the merchant, but if the merchant has gone bust the credit card company foots the bill.

    Regarding tools, many UK payment gateways interface with a tool called the 3rd man. This has a fraud score against the transaction (e-mail, address, value, and other data).

    Overall I have to agree that the system sucks, that scam artists steal from the merchants, but it is no where near as bad in the UK as you say it is in the USA.

  5. Jamie Salvatori June 24, 2013 Reply

    Richard – Good to hear that better tools do exist for determining fraud, but it’s a shame that they aren’t given to merchants for FREE by the credit card processors. You’d think it would be in their best interest to provide merchants with every possible tool to determine if a transaction is fraudulent. But they don’t. And that should give you pause.

  6. Richard Stubbings June 26, 2013 Reply

    But the 3rd man tool is provided free. (well included in the total charges)

  7. Ben Dwyer June 27, 2013 Reply

    Jamie,

    A big reason why "credit card processing sucks" is that providers leverage the complexity of fees to take advantage of businesses, but there’s also a flip side — providers that over-simply processing fees to the same end.

    For example, you’re plugging Stripe as a good solution to simply PCI, but Stripes processing charges rely on a bundled pricing structure resulting in significantly greater costs than a merchant would be able to secure through a service like CardFellow that requires processors to separate markup from base costs (interchange-plus or interchange pass-through).

    Many merchants, especially higher volume merchants, would benefit more from a cost and value standpoint by taking advantage of more competitive pricing and a vendor that provides PCI validation assistance.

    Choosing a processing provider based on a single service detail like PCI support or ease of validation is a mistake.

    Granted, there are quite a few providers in this industry that profit from the complexity, but many tools and information are available to educate merchants about how processing and fees truly work.

    In this industry, simplicity is expensive, and thousand of processing options are available. There’s no substitute for due-diligence and educating yourself about what’s available.

    A word of advice to merchant…. start by learning the basics. Learn about the components of processing cost such as interchange, assessments, and markup. Learn about the pricing models that processors use to assess charges such as tiered pricing and interchange plus.

    Once you have a solid understanding of fees and pricing, look at details such as processing equipment, gateways, and software available. Various gateway options, like Stripe, have varying features and pricing. PCI exposure, validation and support is a single detail in what will be the ideal processing solution for your business. Learn the ropes, weigh the options, and make an informed decision.

  8. Kevin Woolf June 27, 2013 Reply

    Yes! Credit cards do suck, but I’ve found three alternatives. I happen to be in Taiwan, and ATM bank transfer is very popular. Green World (http://www.ecbank.com.tw/) offers a unique virtual transfer number for every transaction, so you know when a customer pays you money. They even link into the most popular carts like Magento, WooCommerce, Prestashop, and more.

    Ok, now my favorite–Dwolla! I love Dwolla. Sign up is a bit over the top, but once you’re verified, you can send and receive money using your account. And guess what. Only $0.25 per transaction up to $5K ($10K for business accounts). Yes, only 25 cents no matter what dollar amount you transfer. Easy to use, but it’s limited to USD and people with US bank accounts. My referral link here http://refer.dwolla.com/a/clk/5HSBxx

    Next is Coinbase. I like the idea behind Bitcoin, and Coinbase allows you to instantly cash out bitcoins to USD for zero exchange risk. No chargebacks, low fees. Only 1% + $0.15 per transaction. I can get with that. Again, a referral link https://coinbase.com/?r=51a4e6063ac9f6d06a00004f

    As a side note, stay away from Stripe! If you thought Paypal arbitrarily changes the rules, locks accounts, and holds your money, watch out for this one. If you ever get an e-mail from a fake employee named Maria, you’re in trouble. Search and you’ll see what I mean.

    So ATM, Dwolla and Coinbase. Go!

  9. Bob Herman June 27, 2013 Reply

    Shipping only to the billing address of the cardholder, as mentioned in the article, does not protect the merchant for Card Not Present/Internet transactions. In fact, even having a signed delivery receipt from the carrier (UPS / Fedex) at the cardholder’s billing address does not protect the merchant. For Card Not Present transactions, the law simply allows the cardholder to commit fraud. The Visa arbitrator will always rule in favor of the cardholder. Oh, by the way, the cardholder can claim fraud up to 9 months after the transaction cleared. If the cardholder was actually defrauded by a friend/relative/worker etc. that had access to receive the package (happens all the time!), then the much larger issuing banks should incur the loss, not the smaller merchants. The law needs to be changed.

  10. Colleen September 20, 2013 Reply

    Is there any action I can take on a credit card company that charged our business a “cancellation fee” without my knowledge? I changed processing companies after my contract was up, but they are saying my contract renewed automatically and took $495.00 out of my account.

Email Newsletter Signup

Sign up to receive EcommerceNotes,
our acclaimed email newsletter.

And receive a free copy of our ebook
50 Great Ecommerce Ideas