Traditional Merchant Accounts vs. Aggregators

Not all merchant accounts are created equal.

When shopping for a merchant account, many tend to overlook the differences between the two very different merchant account types; the traditional model and the aggregator model.

The traditional model works as one might expect. A merchant contacts their MSP, and opens a merchant account. This MSP will have relationships in place with financial institutions as well as frontend and backend processors. While the nature of these relationships can vary, at a bare minimum, the MSP will facilitate the inception of an account with their partner financial institution on your behalf, and solely for your use.

The aggregator model is a bit different. Although the infrastructure remains largely the same, aggregator companies (such as PayPal and Stripe) actually play the role of the single merchant account holder in the hierarchy, and then process transactions through this single account on behalf of their customers.

The quickest way to identify which type of account you are opening is to evaluate the amount of information requested to open an account.

In the traditional manner each merchant is provided their own merchant account via an FI, therefore they are required to meet the same requirements in place to open a traditional bank account, and go through an underwriting process to verify information provided and substantiate the business. These accounts also must comply with portions of the Patriot Act of 2001, which requires financial institutions to take extra steps in identifying their customers in an effort to combat international money laundering and the financing of terrorism.

Aggregators, on the other hand, are simply reselling the use of a single merchant account in their name, and take on the risk of managing all their own accounts internally. These accounts can often open accounts online, and often with instant approval.

Neither one of these is inherently better than the other, and each have their perks and drawbacks.

Aggregator accounts are very popular due to their fast account opening and simple terms but can be subject to lower limits and longer holds on their accounts due to the comparatively lax identification requirements which expose the provider to more risk. A traditional merchant account typically alleviates these constraints but can come in at a higher cost or level of merchant involvement.

Since there isn’t a right or wrong choice here, it all comes down to understanding the needs of you and your business.

If you aren’t sure which one is right for you- feel free to give one of our experts a call. As a longtime merchant advocate, we will point you in the right direction, even if that direction is one of our competitors.

59% of Merchants Accept Bitcoin to Boost Ecosystem

From Californian wineries to bars in Beijing, 2013 was widely considered a banner year for bitcoin, as business owners around the world began to take advantage of the technology to cut costs and woo new and influential consumers.

Unsurprisingly, expectations were high for 2014, and so far, it’s delivered with major brands such as Lord & Taylor, Overstock and TigerDirect following the lead of early adopters to accept bitcoin for payment.

Still, while merchant adoption of bitcoin and other digital currencies is on the rise, less is known about these new additions to the digital currency ecosystem as a demographic – why they accept bitcoin, how they do so and whether they consider their experience with bitcoin to be positive.

In Part One of this series, we’ll seek to better define the merchants who are operating in the space to paint a picture of this influential sector of the expanding ecosystem.

51% began accepting bitcoin in the last three months

In total, 51.8% of respondents reported that they began accepting bitcoin within the last three months. Nearly one-fifth (17.8%) reported adding bitcoin as a payment option within 30 days prior to the survey.

Still, there were a sizeable number of merchants who have long supported bitcoin. Roughly one-third (29.2%) of respondents have been accepting bitcoin for six months or more, with 12.5% reporting that they’ve been accepting the currency for over one year.

When Did You Start Accepting Bitcoin?

Despite fears that the recent decline in the price of bitcoin would turn merchants away from the volatile ecosystem, the survey suggests that its negative attention may have actually bolstered interest in bitcoin.

71% accept bitcoin online; 88% own bitcoin

The survey found that of the merchants who accept digital currency, 71% of respondents do so online, while 34% of respondents accept bitcoin at their bricks-and-mortar stores. Some merchants surveyed accept bitcoin both online and at their physical stores.

While it may not be surprising that the digital payment method has been most widely used online, the margin is notable, as it suggests that merchants are twice as likely to accept online than at a physical location.

Furthermore, the vast majority of merchants who accept bitcoin also reported that they own or owned bitcoin, with 88% saying that they have done so.

Just 12% of merchants who accept bitcoin said they have never owned bitcoin.

59% accept bitcoin to boost the ecosystem

Perhaps most surprising, was that despite the many benefits bitcoin can bring to businesses in terms of savings, only 8.2% began accepting bitcoin to save money, and just 8.2% were encouraged to do so by their customers.

The majority of merchants (59%) say they began accepting bitcoin to show their support for digital currency.

What Was the Main Reason You Started Accepting Bitcoin?

Still, the results lend credence to those who have accused some companies of trying to take advantage of bitcoin’s popularity. Nearly one-fourth (24.2%) said that the main reason they began accepting bitcoin was that it was a marketing opportunity.

ClearGate & CIEO
Bitcoin Merchant Services

Survey Results: One-Fourth of Bitcoin Merchants Enjoy 10% Sales Boost

In the first installment of our merchant survey, we uncovered that the majority – 59% – of merchants are accepting bitcoin to better support the bitcoin ecosystem. However, the bigger takeaway from this statistic is that the main driver of bitcoin adoption is not its cost-cutting benefits when compared to traditional financial tools.

While bitcoin benefits from adding like-minded merchants to the ecosystem, the true expansion of bitcoin as a currency and payment method will likely rest on convincing those who may not believe fully in bitcoin’s underlying political motivations and ideology.

As such, it’s arguable that the most important question when it comes to merchant expansion is, if the savings bitcoin provides isn’t a major factor: Do merchants that accept bitcoin see a sales increase for doing so? And if so, do they make enough to convince those who might have reservations about joining the movement?

To date, we know that major retailers are achieving this result. Online retail giant Overstock topped $1m in sales in just under two months of accepting bitcoin, and TigerDirect followed suit, passing this milestone in a similar timeframe.

What isn’t clear, though, is if smaller and mid-size merchants are achieving similar results.

25% attribute more than 10% of their monthly sales to bitcoin

In total, our survey found that 24.5% – or roughly one-fourth – of respondents indicated that more than 10% of monthly sales are attributable to bitcoin purchases.

It’s important to note that an unknown number of these respondents are likely bitcoin-only businesses, but that we do know that some merchants are achieving similar results even when accepting fiat currency.

The majority of merchants (56%), however, say that bitcoin is attributable to 0% to 2% of their total monthly sales. Though, it should be noted that Part One of our survey showed half of respondents have only been accepting bitcoin for under three months, meaning this figure may be due to the initial bump in sales most merchants report.

44% say it’s ‘very easy’ to accept bitcoin

The survey also asked merchants to rate how difficult it was to start accepting bitcoin, and in the process debunked a long-standing myth that accepting bitcoin is an onerous process.

Overall, 42.7% said it was ‘very easy’ to begin accepting bitcoin, while an additional 35.39% said it was ‘easy’. Just 1.12% reported that it was ‘difficult’ to begin accepting the digital currency.

On a scale of one to 10, with 10 representing the highest difficulty, respondents, on average, reported that accepting bitcoin had a difficulty level of 2.

ClearGate & CIEO

Bitcoin Merchant Services

Hosted Payment Page/iFrame Best Practices

ClearGate has taken many steps to reduce the PCI burden for both VAR’s and Merchants with our Hosted solution; however, we still recommend that network admins at all levels take steps to ensure continued data security.  

While the infrastructure we have in place allows for card data to make its way to our gateway securely, independent websites are still vulnerable to third party attacks that can intercept sensitive data before it makes it to us.

Below are best practices as recommended by the PCI Security Standards board in their PCI DSS E-commerce Guidelines (January 2013):

Read the whole guide here

Know the Location of all Your Cardholder Data

Data-flow diagrams provide an important aid to understanding the scope of the cardholder data environment by showing the actual flow of cardholder data as it is being transmitted across various networks and systems. Periodic review will ensure accuracy as changes to the environment may occur.

A well-designed data flow diagram will:

• Identify each system involved in the storing, processing and transmission of cardholder data (CHD)
• Identify any system connected to the systems which store, process or transmit cardholder data
• Illustrate how cardholder data is processed, for example, how CHD is managed within a web application’s functionality and pages, along with how the data flows within a network or across multiple networks
• Illustrate where security controls are implemented
• Illustrate and make a clear distinction between payments processed under the merchant’s responsibility (whether developed internally or purchased from a third party and integrated with a shopping cart) vs. payments processed solely within third party environments.

If You Don’t Need It, Don’t Store it

Eliminating any cardholder data that is not needed per PCI DSS Requirement 3.1, consolidating necessary cardholder data in known and manageable locations, and isolating all cardholder data away from noncardholder environments may reduce the number of locations and amount of cardholder data that require protection, as well as the number of access points to the CDE that need to be secured.

Evaluate Risks Associated with the Selected E-commerce Technology

Entities should thoroughly and carefully evaluate the risks associated with each e-commerce solution prior to selecting or implementing one. Whether an e-commerce solution is fully hosted and managed by the merchant, or is partially or fully outsourced to a third-party, results in different levels of risk for the merchant.

The flow and storage of cardholder data should be accurately documented as part of this risk assessment process to ensure that all components and third parties are identified and properly secured or managed. Once implemented, e-commerce environments should be included in an organization’s annual risk-assessment process.

Address Risks Associated with Outsourcing to Third-party Service Providers

Security is a critical element for any website, shopping cart or other e-commerce service. The following best practices are offered for consideration when outsourcing any component of a merchant’s e-commerce environment to third parties.

When evaluating potential services from third parties, e-commerce merchants should consider the following:

• Request quotes from multiple service providers in order to gain familiarity with the basic elements of a service offering and to learn about the available optional features.
• Ask for a description of security services. A company capable of supporting payment services should be able to describe their security capabilities in clear, non-technical terms and offer security as a part of their basic service.
• Buy payment services from an e-commerce service provider that can provide references from financial institutions or other payment service companies. Handling payments securely requires experience.
• Research prospective providers; there are numerous resources available online that provide customer reviews, service provider ratings, and even security breach history.

When engaging with service providers, merchants should have a contract or written agreement that:

• Specifies the responsibility for compliance with PCI DSS requirements for both the merchant and the service provider (per PCI DSS Requirement 12.8).
• Indicates how they meet applicable PCI DSS requirements.
• Identifies whether the service provider will undergo its own PCI DSS compliance validation or will support the merchant’s PCI DSS assessment each year for the services provided by the service provider.

When managing third-party service providers, merchants should consider the following:

• If outsourcing web-hosting services, ask the provider for standard hardware and software configurations, a defined schedule for updating hardware and software patches and versions, a 7x24x365 active monitoring service, and support for investigations in the event of a security breach.
• If outsourcing data storage services, verify whether the service provider can independently manage encrypted backups and database administration. Clarify these features in the agreement or contract, along with appropriate PCI DSS controls as applicable.
• If a service provider’s network infrastructure and processes have not been assessed for PCI DSS compliance, the service provider may find it difficult or costly to remediate identified security issues. When outsourcing environmental or network infrastructure, agree which company will pay to remediate such security issues before signing an agreement or contract.
• Review third parties’ signed Attestations of Compliance (AOC) to confirm their compliance status is current (like merchants, service providers should validate PCI DSS compliance annually), and that the services being provided to the merchant are covered by the service provider’s PCI DSS assessment.
• Verify that the service provider’s PCI DSS assessment identifies them as a service provider (not as a merchant).
• Merchants hosted within a shared environment (i.e., more than one merchant’s website is hosted on a common server) should note that shared hosting providers must meet specific requirements as detailed in Appendix A: Additional PCI DSS Requirements for Shared Hosting Providers, in addition to all other applicable PCI DSS requirements. Confirm that the PCI DSS assessment of a shared hosting provider includes all applicable requirements.

ASV Scanning of Web-hosted Environments

PCI DSS Requirement 11.2 for external and internal vulnerability scanning applies to e-commerce websites because they are part of the cardholder data environment. When a merchant outsources website hosting and/or management to a third-party hosting provider, the merchant may not have control over the scanning process. The following best practices apply to merchants using third-party web hosting:

• Ensure that ASV scanning is being carried out as specified by PCI DSS Requirement 11.2.
• If a merchant’s e-commerce site is hosted in a shared environment (more than one merchant’s website on the same server), there are two options available for scanning:
  • The hosting provider can undergo ASV scans on their own and provide evidence of compliant scans to the merchant; or
  • The hosting provider can undergo an ASV scan as part of each of their merchant’s ASV scans.
• Ultimately, it is the merchant’s responsibility to ensure their hosted environment receives a passing result on a quarterly basis from appropriately scoped ASV scans.

Best Practices for Payment Applications

• Use SSL/TLS when transmitting cardholder data internally (for example, at cardholder data ingress and egress points) within the merchant’s network.
• Due to the dynamic nature of e-commerce environments and frequent changes to websites and web applications, and as traditional firewalls may not have the capability to inspect the contents of encrypted network traffic, consider implementing a web-application firewall (WAF) or additional intrusion-detection technologies.
• Follow PA-DSS when internally developing and implementing payment applications/shopping carts to help ensure that the application will support PCI DSS compliance.
• Consider using third-party payment applications that are PA-DSS validated and noted on the list of Validated Payment Applications as “acceptable for new deployments” (see the PCI Council website for the current list of Validated Payment Applications).
  • Note that some payment brands require the use of PA-DSS validated payment applications where third-party payment applications are in use. Merchants should consult with their acquirers or the payment brands to understand applicable requirements.
  • The correct installation of a payment application is critical to the protection of payment card data. The payment application’s PA-DSS Implementation Guide (obtained from the payment application vendor) should be followed when installing and configuring the payment application to ensure that the product is implemented in a manner that supports PCI DSS compliance.
• Regularly review any links (such as URLs, iFrames, APIs etc.) from the merchant’s website to a payment gateway to confirm the links have not been altered to redirect to unauthorized locations.

Implement Security Training for All Staff

• Ensure all staff are trained to use systems securely and to follow defined procedures. Training should include awareness of potential security threats and the appropriate action to take in the event of a suspected breach.
• Train technical staff to properly manage security including firewalls, digital certificates, and SSL encryption.
• Train all internal staff to be aware of general security issues such as social engineering techniques used by unauthorized individuals to gain access to areas with cardholder data.

Other Recommendations

• Assign a specific team member(s) to monitor and report on any and all security alerts issued by the card brands and other security websites to stay current on emerging threats.
• Consider implementing an additional firewall between the application server and the database server to further reduce risks from the Internet-connected web server.
• Limit displays of account numbers to the minimum necessary for the consumer to complete their purchase. For example, once the account number is verified, don’t display the full number back to the consumer in the order summary or receipt.

Best Practices for Consumer Awareness

Provide awareness for consumers to protect their payment card data when making online purchases. Examples of such guidance could include:

• Don’t use public, untrusted computers for e-commerce transactions. Public computers may not be secure and could be capturing payment card data as it is being entered.
• Don’t make purchases when connected to an unsecured wireless network (for example, using your laptop computer with a public WiFi connection), unless you have a personal firewall on your computer.
• Be aware of “shoulder-surfing” if entering payment card data in a public location.
• Keep personal computers up-to-date with security patches.
• Always ensure your computer is running anti-virus software that is updated with the most recent virus signatures and definitions before connecting to the Internet.
• Always check for signs of a secure web page, for example, look for the “HTTPS” prefix in the web address or the little “padlock icon” at the top or bottom of the web browser, a green address bar, or a security seal before entering payment card data.
• Use strong passwords that cannot be easily guessed (for example, don’t use your date of birth or your name as a password).
• Keep your passwords private. For example, don’t write them on a piece of paper attached to your computer (especially if you are in a public place), and don’t save them in a file on a computer that is shared with others.