Here’s a sneak preview of two innovations that will improve your EBITDA in 2012 with very little effort by your legal staff. The first improves billable time data capture and the second enhances payment acceptance with a flexible PCI Compliant solution, while mitigating risk.

Capture more billable time with a new innovative mobile time tracker that enables you to capture and assign billable time by matter code and client. A key feature is the pop-up on incoming calls; when you hang up, you can immediately assign the call to a client for billing and even enter notes. The length of call is prefilled for you. This data is all accessible back in the office via a web based dashboard.

Expense record on mobile device. Assign and submit billable/ reimbursable expenses on the go.

Our  innovative payment gateway works with your existing payment processors, creating numerous efficiencies, increasing cash flow, and reducing the cost of payment acceptance. Partners will have unprecedented access to client billing and payment data based on permissions granted. Clients will have new ways to receive invoices and make payments. Finance staff will have tools to automate processes and control payment processing costs. You’re in control of the most flexible, scalable payment solution available today.

We’ve been too busy bringing clients on board to create comprehensive marketing materials; technology is ready for immediate implementation. Payment Modules include: virtual terminal, batch upload, Electronic Bill Presentment & Payment (EBPP), Dashboard Reporting, report writer, shopping cart and pay page.

Legal Payment Brochure (pdf Download) . This one page document will be updated in the future.

Join clients listed in the 2011 U.S. News – Best Lawyers ‘Best Law Firm’ Rankings. Contact us now to find out why they chose our technology.

Is it any surprise that actual Payment Card Industry (PCI) Data Security Standard (DSS) assessments by Verizon’s team of Qualified Security Assessors (QSAs) shows growth of compliance is stagnant? Even worse, organizations that suffered data breaches were much less likely to be compliant than a normal population of PCI clients? About 20 percent of organizations passed less than half of the DSS requirements, while 60 percent scored above the 80 percent mark. For all those merchants sounding off about an annual PCI Compliance Fee, the evidence is clear that merchants still have a long ways to go. 100% PCI DSS compliance is the only acceptable statistic.

Organizations struggled most with the following PCI requirements:

• 3 (protect stored cardholder data)
• 10 (track and monitor access)
• 11 (regularly test systems and processes)
• 12 (maintain security policies)

The first two of these can easily be resolved with our hosted payment processing technology, CenPOS. If you’re going to store cardholder data, it needs to be encrypted. One of the major problems with this has been ready access to solutions for storing cardholder data for variable billing. Most gateways have a PCI Compliant solution to store encrypted card data for recurring billing,  charging the same amount on a fixed schedule. However, CenPOS is unique to offer storing card data for billing a variable amount, token billing. Additionally, it is the only technology this writer is aware of that also includes interchange optimization, of major importance to companies trying to control credit card processing fees.

Tokens are issed for stored card data, worthless if stolen.

Requirement 10 (Tracking and Monitoring) is a major component of CenPOS. Every user has a unique login and management can micro manage permissions. Where others create a few tiered levels of permission such as cashier, finance, and administrator, CenPOS offers a plethora of options, plus management tracking and research tools.

• User Permissions: Control precise transaction types allowed, set maximum thresholds, set alerts based on responses, amounts and other criteria. Extensive Permissions enable maximum merchant protection from lower level employees, plus there are tools for secondary oversight at the admin level to mitigate risk of high level employee fraud.
• Tracking and Monitoring: The requirement calls for the tracking and monitoring of all access to network resources and cardholder data, the main objective is to maintain system logs and have procedures that ensure proper utilization, protection, and retention. According to the Verizon Report, this has historically been one of the most challenging, but is critical to forensic investigations if needed. CenPOS logs everything related to the payments process including user ID, time stamps and every other element of interaction with the system. Merchants must have their own internal logging system for their network.

Requirement 11 (Regular Testing) had the least compliance in the Verizon report. “Organizations continue to have difficulty meeting the sub-requirements regarding network vulnerability scanning (11.2), penetration testing (11.3), and file integrity monitoring (11.5).”  Our recommendation is that merchants hire a qualified outside vendor to assist them with this requirement. We have no direct affiliation with such companies but know several with good reputations should you need a resource.

Requirement 12 (Security Policies) While the best laid written plans may exist, there is still the human factor. Weaknesses identified include poorly written policies, including so long that they are stuffed in a desk never to be read again, and those that are too vague. Note that the requirements are directly related to the services in scope of the organization’s PCI DSS. The more the merchant reduces their scope, the more the burden is on their service provider instead of their internal personnel. CenPOS reduces the merchant scope in several ways, including but not limited to:

• Web payments on a hosted pay page, not the merchants web page
• Electronic Bill Presentment and Payment- same as above.
• Storing all card data, encrypted, on CenPOS servers, eliminating file drawer and merchant stored data

Verizon 2011 PAYMENT CARD INDUSTRY COMPLIANCE REPORT (PDF) download

Learn more about how CenPOS can help you with PCI DSS Compliance.

Merchant services for political campaigns tend to cost more than for retail merchants. Why? The main reasons are their lack of knowledge about the subject and then all the other reasons. Other reasons include how payment is collected, the types of cards presented, and the credit card processing price plans they are on. Below I’ll address each issue in brief.

First their lack of knowledge makes it easier for other companies to charge them more money. Think used car salesmen 25 years ago. Small campaign races will generally pay more than big races because there is little to process. This is simply an ROI issue just like with small businesses. But what about the bigger campaigns?

How do politicians collect money for campaign contributions? The most popular are checks in the mail, donor cards collected at speaking events (check or credit card which is key entered later), and online donations. The donor card exposes the politician to substantial risk. Where are the cards stored while traveling from one event to the next? Who opens the mail? Who keypunches the data? What kind of training have they had in protecting card data? Do you perform background checks on volunteers who see donor cards?

• Reduce risk by keypunching data into a virtual terminal on site.
• Reduce risk and cost by attaching a card reader to a computer. You’ll save about 0.5% by swiping vs key entering.
• Always securely shred card data upon completion of transaction. With a well-developed donor form, you can detach or cut off the credit card data while still keeping critical information on the form such as payment amount. Record the authorization number and date processed on the form for your records.

Costs are affected by the type of card presented for payment. You can’t control this. But you also need to know the merchant services game because this is a big gotcha. In my experience, the card type can relate to the type of race; the bigger dollar donors use rewards or corporate cards. Campaigns targeting smaller donations attract a high amount of debit cards, up to 50%. Here’s the big catch on merchant agreements- QUALIFIED RATE. Chances are 80% of cards presented will never hit the qualified rate. So what’s your non-qualified rate? What’s your best rate for corporate cards for a MOTO merchant account? (Interchange is 2.2% plus $.10 per transaction. )

Common Visa interchange rates for reference: RETAIL= swiped card. MOTO = mail order or phone order. Ecommerce rates are the same, but account set up and rules are different. Below is a very small list of the 500 or so possible rates. We see every day on merchant accounts.

• debit/check card, swipe .95% plus $.20 per transaction
• debit/check card, MOTO 1.53% plus $.10 per transaction
• credit card, swipe 1.79% plus $.10 per transaction
• rewards card, MOTO 1.95% plus $.10 per transaction
• Commercial card MOTO 2.2% plus $.10 per transaction
  Downgrade costs can be nearly 1%, and remember, these are interchange costs. Your fees will be higher.

Credit card processing price plans vary widely for this industry, but in general, are much higher than others. That’s not because the raw costs are higher, its because the payment processors take bigger profits. Remember what I said about the used car salesman. Credit card processing is not the core skill of the average politician and it may not be for the finance manager either. One of the most valuable assets of a politician is their time. Therefore they tend to copy what others in their party are doing, or simply look for the easiest solution that solves many of their time issues.

Ecommerce solutions for politicians are plentiful as they are for non-profits. I have no problem with payment processing costs being higher than average if you get a robust software package at no cost. Companies have to recoup their investment somewhere. But what if you pay for the software and the payment processing?

Let’s look a little deeper into an example such as Click & Pledge. It has lots of cool features to manage donors and build an online community. They also have an integrated payment processing solution option. I had to read several sections a few times, and based on what I read,  I’m still not sure. Can you use their other features but not the payment processing/ They have API section which looks like a yes, but the non-existent comments in the forum make me wonder.

Their rates are among the highest I’ve seen at 4.5% and $.35 per transaction. But wait- that’s not for all cards. “Visa & MasterCard may add additional fees for affinity and cards which earn points. These cards are referred to as non-qualified cards and typically have 1% surcharge associated with them. The fees are not being charged by Click & Pledge and we have no control over which cards will be charged as a non-qualified card.”  So merchants can expect to pay up to 5.5%. Basically they’ve locked in at least 2% profit (also known as 200 basis points) by my estimation, and that’s very high in todays marketplace.

Two percent is about double the norm for a small business from what I’ve seen, although that market is not my specialty. Maybe solutions like this are still a good fit for your campaign. But before  you buy, ask if you’re allowed to use your own merchant account. In most cases you’ll do better far on price and there are other benefits as well. For example, if I were managing your account, I’d make sure you had the right type of merchant accounts for different situations to meet Visa and MasterCard regulations. You’ll get advice and handouts for volunteers on proper data security. We can assist with your check processing, including remote deposit capture. We can assist with payment type and provide risk management advice to help protect you against embarassing data security breaches.

Keep more money from your online donations. Get a merchant account separate from your software or web host.

How can you protect your company from payments fraud? What are the current areas of risk? What are statistics for losses? JP Morgan presentation answers these questions with data for all payment types.

Managing Risk : What Matters Today: Protecting Your Assets is part of a series to help treasury management mitigate risk, among other goals. link to PDF download and webinar.

We’ve identified a number of companies, services, and technologies that are especially vigilent in protecting you against fraud, including JP Morgan. Unlike JP Morgan though, we are not limited to a single vendor option. Our clients can choose from many solutions, including expanding the relationship with their current vendor. We increase awareness of what’s available and help you choose solutions best suited for your organization.

For example, CenPOS has fraud protection solutions to prevent improper credit card refunds.

How can merchants reduce risk of fraudulent card transactions? One of the most widespread credit card fraud schemes involves magnetic stripe counterfeiting. This scam involves re-encoding a valid account number onto an existing magnetic stripe. One way to prevent fraud at retail locations is to require cashiers check the last 4 digits with your software.  We automatically program the last 4 digits as a required field for all retail merchants.   Here is how it works with our host based payment processing technology and a signature capture terminal:

1. approval and a request for signature on terminal; customer signs and presses enter
2. approval and terminal requests pin number if the technology has determined that this transaction would best go through as a pin debit transaction. Customer presses cancel if he/she wants to enter as a credit transaction and is immediately prompted for signature.
3. denial and reason
   • If the magnetic stripe does not match the numbers you key in, the terminal will display “Last 4 Digits Do Not Match/Mismatched Digits” and will halt the transaction. To ensure that you didn’t enter the wrong number, try to run the transaction once more. If your terminal displays the same warning, call the Automated Voice Authorization Center and tell the operator that you have a “Code 10″ authorization.
   • A request for a “Code 10″ authorization tells the operator that a suspicious transaction is taking place. If you can’t speak freely, the operator will read a list of possible problems with the card so you can answer yes or no and avoid alerting the customer. You should attempt to stay on the line and keep the card until the authorization is complete. If the authorization is denied, follow the instructions the operator gives you.
   • If the card is fraudulent, do not attempt to apprehend the card user. If the operator instructs you to retain the card, attempt to do so peacefully. Follow any specific instructions the operator gives, unless they put you at risk.

Any credit card terminal can be programmed to prompt for the last 4 digits. A host based system also allows merchants to change and add security parameters on the fly for all locations.

Is your merchant processor helping you with risk management? For just pennies a day, you can have a host based payment processing solution that will reduce risk regardless of your payment processor, in addition to many other benefits, including cost reduction.

With storms and grid overloads, what have you done to ensure you can accept payments regardless of the weather or localized power outages? With “always on” solutions, you can accept payments from any where. It seems a simple assumption, but many operations are not prepared for a short or long term power outage, even after Katrina, Wilma, and other natural disasters.

What are some of the options for an ongoing operation to accept credit card payments?

Virtual Terminal- enter transactions from wherever you are. All you need is an internet connection. In the B2B world, this can be a critical mechanism to collect payments. What if you are a company that actually responds to help others after a disaster? In the hectic aftermath, record keeping is vital, and so is fast collection of payments for work as you mount overtime hours and material costs. With the right virtual terminal you can authorize an estimated amount for a job, and capture the actual funds when you complete the job. Or auth/capture a deposit, and bill the remaining upon completion.

Swipe credit card terminal- What if you can’t run your swipe terminals because the phone lines are down? Again, a virtual terminal saves the day.
- call in the orders to someone who has internet access for virtual terminal (especially if you want good record keeping of the name, address, etc)
- login to a virtual terminal via a wireless card with a laptop
- if you have network internet access, do you have an ethernet connection on your terminal that you can plugin to?

Do natural disasters increase risk of fraud in the aftermath? With CenPOS payment processing platform, the administrator can remotely view the financial condition of each location in real time, payment processing activities at all locations, and shut down or grant new access to staff. With a laptop and a USB terminal, employees can accept swipe credit card transactions from wherever they are, CenPOS will check key anti-fraud factors, and with an optional signature capture terminal, you can further protect the company from chargebacks.

Chargeback protection- In a disaster aftermath record keeping can be a nightmare, but with CenPOS signature capture, your company can readily retrieve signed receipts for years after the original charge and present to the processor to prevent a chargeback.

iStream Financial Services’ Anticipation of Risk Management Related to Remote Deposit Pays Off

January 27, 2009 – Brookfield, Wisconsin – iStream Financial Services, Inc., a financial technology company in the business of managing payments, announced today the company’s systems, policies and practices are on target with the FFIEC’s newly-released guidelines for risk management for Remote Deposit Capture (RDC).

“These new risk management guidelines from the FFIEC are critical guidelines for examiners, business owners, banks and technology providers as many of the solutions out there aren’t as secure as they could be. Based upon our experience in payments, we anticipated and appreciate the need for these controls. That said, we’ve worked hard to ensure the reliability of our systems and procedures surrounding our solutions. The completion of our SAS 70 Type II specific to RDC processes is just one way we have proved our commitment to our customers” said Fred Joachim, President, iStream Financial Services.

“We believe we have the most secure solution on the market. Our RDC process is secure from start to end, beginning with encrypting the images at the point of capture and eliminating the need for the user to store or export sensitive data.”

iStream’s foresight goes back years, not just months. In October of 2006, iStream was asked to present at the FDIC Technology Summit in Washington D.C. regarding “Emerging Issues and Risk Mitigation in the Financial Institution Industry”. The presentation focused on helping auditors and regulators understand the risks related to RDC. iStream continues to be a leader regarding RDC processes and technology.

“You read and see the effect of data breaches almost daily. From credit card information to Social Security Numbers, no person or company ever wants it to happen” states Mike Nell, VP of IT. “Our IT team has over 75 years experience developing solutions which address the inherent risks in payments systems. We were able to leverage that experience to engineer security, integrity, and reliability into our solution from the start.”

iStream’s Remote Deposit Capture service has seen phenomenal growth within the past few years. iStream’s flexible solution enables businesses to leverage multiple banks and is a major differentiator in the marketplace. In today’s economy, iStream provides businesses the controls they need while being able to work with the banking partner of their choice.

The FFIEC guidance, entitled “Risk Management of Remote Deposit Capture,” addresses the essential elements of RDC risk management: identifying, assessing, and mitigating risk, as well as measuring and monitoring residual risk exposure. The guidance also discusses the responsibilities of senior managers in overseeing the development, implementation, and operation of RDC in financial institutions.

iStream developed the first integrated Application Service Provider (ASP) RDC solution that enabled the company to go direct to customers and offer Financial Institutions a superior solution. The essential ingredient for iStream’s success is simplicity: the iStream ASP model takes minutes to set-up; the deposit process is three easy steps; and the user-friendly system moves beyond the deposit to incorporate online reporting, returns management, and is easily integrated to back office applications such as accounts receivable systems.

About iStream Financial Services:
iStream Financial Services’ core mission is to provide businesses and banks solutions to consolidate and manage various payment types. The company leverages its technology platform, knowledge and people to introduce new products that will help business and banks across the country. iStream complies with FDIC security standards and is audited annually. The company has also completed a SAS 70 Type II to validate the end-to-end controls of our Remote Deposit Capture process ensuring the integrity, reliability, and security of our application and systems.

Financial Regulators Release Guidance on Risk Management
of Remote Deposit Capture

The Federal Financial Institutions Examination Council (FFIEC) issued guidance today for examiners, financial institutions, and technology service providers to identify risks, evaluate controls, and assess risk management practices related to remote deposit capture (RDC) systems.

RDC enables customers to make deposits from their homes or businesses instead of taking the deposits to their financial institutions. Digital information captured at the home or business is transmitted to the financial institution or its service provider for clearing and settlement. Financial institutions might also use RDC in their branches and automated teller machines (ATMs) to facilitate deposit processing.

When properly managed, RDC can reduce processing costs, support new and existing products by financial institutions, and accelerate the availability of customers’ funds. However, RDC also introduces new risks and increases existing risks in processing deposits originated by an institution’s commercial or retail customers, or by customers of other financial institutions domestically and abroad.

The guidance, Risk Management of Remote Deposit Capture, addresses the essential elements of RDC risk management: identifying, assessing, and mitigating risk, as well as measuring and monitoring residual risk exposure. The guidance also discusses the responsibilities of senior managers in overseeing the development, implementation, and operation of RDC in their financial institutions. Interagency RDC examination procedures will be published in an updated FFIEC Retail Payment Systems booklet scheduled for release in early 2009.

FFIEC RDC Guidance (PDF)