Business > Merchant Voice

Credit Card Processing Sucks

Credit cards are cool. They make online shopping possible. But credit card processing, the system by which money moves from a customer to a merchant, totally sucks.

It sucks for three reasons: cost, liability, and security.

Let’s outline each in their stunning absurdity.

Credit card processing costs a fortune! Typical fees range from 2.5% to 3.5% of every transaction. That’s nuts, y’all!

Why should the credit card company collect 10 times as much money on a $10 transaction than on a $100 transaction? They’re simply processing data and there is no inherent cost difference in processing one transaction over another transaction. This is reason #1 that credit card processors sucks. Unfortunately, there is no great alternative at this time. So, we have to live with the cost. But, that’s the least of your worries.

However, it’s still interesting to think about why the fees are so high. I don’t work in that industry, so I’m only guessing, but I suspect the percentage-based fee is used to cover the cost of rewards, points, and miles to their customers (the cardholders).

The other “argument” I’ve heard for the exorbitant fees is that the credit card company’s liability increases as the dollar amount of a purchase increases. Nonsense! The credit card company protects their customers from fraud, but not at their expense. No, no, no! Instead, if fraud occurs, they recover the funds from whatever merchant allowed the fraud to take place. That could be you, my friend!

This is reason #2 that credit card processing sucks: liability.

Let me break it down. Let’s say someone steals a credit card and uses that stolen card to buy $500 worth of merchandise on my website. A month later, I’m notified that it was fraud. The $500 is removed from my account and the legitimate cardholder is reimbursed, but so is the credit card company! I’m out $500 plus the cost of the merchandise plus the cost of shipping plus a “chargeback” fee for the credit card company’s “inconvenience”. I’m completely screwed and everything is tilted in favor of the credit card company.

To make matters worse, there are no decent tools out there for a small business to completely eliminate this type of fraud. It’s simply a cost of doing business, I suppose. But it’s completely absurd that the merchant is left holding the bag because the credit card industry created such an insecure product. It’s way too easy for cards to be stolen and it’s way too difficult for online merchants to determine if a transaction is fraudulent.

The credit card company’s provide us with no effective tools to help determine if fraud has taken place. We get AVS (the address verification system) which is basically useless and the card security code (the 3-4 digit code on the back of the card). Are you kidding me? These two services suck.

Let’s start with AVS. This system is supposed to verify whether the billing address entered by a customer matches the billing address that the bank has on file for that credit card. Wonderful, right? No. It’s terrible because not every bank participates, banks often don’t have a customer’s latest address on file, and it’s too easy for hackers to obtain this information. AVS is essentially useless.

What about the card security code? Well, what’s so secure about a code written on the back of a card with all of the other crucial data? You wouldn’t write the combination to your safe ON the safe, would you? Every time you give your credit card to a waiter, they have unfettered access to this information. Nice “security”, guys.

As a merchant, we’re left to try to figure this all out. The credit card processors provide us with “tips” (inane PDFs with stellar tips like, “Be careful!”) Seriously, their main tip is to only ship an order to the AVS-verified address of a cardholder. That sounds fine in theory unless your customer wants to ship to a friend, their business, a family member, a second house, etc. You’ll kill your business with a policy like that. So, as a business owner, you take 100% of the risk AND pay the credit card company for the pleasure of taking the risk.

That’s reason #2 that credit card processing really sucks.

But the most horrifying aspect of credit card processing is security. The acronym PCI should send you running for cover. It stands for Payment Card Industry and they have a “security council” whose job is to ensure that inherently insecure credit card information isn’t compromised by the merchants who are forced to use an outdated system.

The PCI council has a 60-page-long checklist of things every merchant should do to secure their business from hackers. They certify companies to provide security analysis and training to merchants in order to protect themselves from hackers. As a merchant that deals with credit cards, you must be PCI-compliant.

Becoming PCI compliant is not easy and it requires annual or quarterly scans by an ASV (approved software vendor). That’ll cost you a few hundred a year (if not more).

But even though you are PCI-compliant, you’re still vulnerable to massive fines and penalties should the card issuers (VISA, MasterCard, etc), at their discretion, determine that your business was hacked and credit card information was stolen.

If one of the credit card companies even suspects that card data was compromised from your business, they give you an ultimatum: Hire a PFI (which stands for PCI Forensics Investigator) to determine if, how, and to what extent your business was compromised. The starting price for a PFI is about $10,000! And when the PFI is done, they submit a report to the card company which they use to determine the amount of fine they’re going to assess!

That’s reason #3 credit card processing sucks and it’s the most insidious.

If you’re starting to feel that the entire process is rigged against the merchant, you’re right!

There isn’t much you can do about #1 and #2 (until a whole new paradigm of direct transfers is created and credit cards are eliminated). But, you can reduce your exposure to #3 down to zero. And because #3 represents an open-ended liability, it’s the most important.

The solution?

JavaScript. Yep. JavaScript! If you employ a credit card processing system on your website in which card data is transmitted to your processor via AJAX (Asynchronous JavaScript and XML), your website never sees credit card data. You eliminate the need for PCI-Compliance entirely. Your liability is zero.

There are possibly several companies that offer such a processing solution, but the first I found was

I suggest switching to Stripe or a company like them immediately. You won’t have to pay for quarterly PCI-compliance scans anymore. Your liability drops to zero. You can drastically lower your cyber liability insurance coverage (which should have in place if you don’t!). And you can sleep easier at night.

Now, if we can just figure out how to deal with reasons #1 and #2…

Jamie Salvatori
Jamie Salvatori
Bio   •   RSS Feed