American Credit Card Processing Decline in 2010

American credit card processing was the only electronic payment method to show a decline in use from 2006 to 2009 (-0.2% per year on average). There were 21.6 billion credit card transactions in 2009, 151 million less than in 2006. By volume, credit card payments amounted to $1.9 trillion in 2009, down from $2.1 trillion in 2006. This decline in credit card use may be a result of the economic recession and may not necessarily represent permanent changes in the payment behavior of U.S. consumers and businesses. As a reference, the rate of seasonally adjusted consumer credit card debt in the U.S. rose in every month from January 2006 to its highest point in August 2008 before falling in each following month through September 2010.

Debit card payments, on the other hand, built on their double-digit growth from 2006 to 2009 and made up 34.8% of all non-cash payments in 2009 (2.0% by volume). Total debit card transactions rose 14.8% per year for the period. PIN debit payments, facilitated by American credit card processing companies, rose more quickly (15.6% per year) than signature-based debit payments (14.3% per year). The absolute rise in signature debit payments from 2006 to 2009 (7.7 billion) was greater than the total increase in PIN debit payments (5.1 billion).

The average signature debit amount per transaction fell from 2006 to 2009 from $40 per item to $37. The average value of PIN debit card transaction rose for the period, from $37 to $39 per transaction. Interestingly, the average amount of signature-based payments fell below the average amount of PIN payments, partly reflecting the increase in the use of the signature-based in small-ticket card payments.

Even though they still make up a relatively small volume among the various types of non-cash payments facilitated by American credit card processing companies, the use of prepaid card is the quickest growing one. The number of prepaid card payments rose by 21.5% per year from 2006 to 2009, and the volume of prepaid transactions rose at 22.9% per year. Private label (also known as store cards) was the most used kind of prepaid card, with 2.7 billion transactions counted in 2009. Two billion transactions were made on Electronic Benefits Transfer (EBT) cards, and 1.3 billion were processed through general purpose prepaid cards.

Prepaid debit transactions include payments by cards funded by U.S. firms or government agencies, such as payroll cards and EBT, but exclude single-use and reloadable cards, transit cards, toll systems, and phone cards.

Merchant Credit Card Account General Facts

Thousands of companies offer merchant credit card accounts, as well as bank cards to consumers. Before the beginning of the last decade of the 20^th century, card issuers competed mostly by waiving annual fees and offering various program advantages. Since then, though, interest-rate competition has taken a much more prominent role in both areas. Many issuers and payment processing services providers, including practically all of the biggest issuers, have lowered rates on many of their clients below the 18 to 19 percent rates typically maintained through most of the last twenty years of the last century. Interest rates in general have recently gotten much more responsive to issuers' costs in recent years as more and more issuers have linked their interest rates to one of several indexes that fluctuate with market rates. (Presently, most large issuers tie the rates on their largest programs to an index, usually the prime rate.) Some issuers have divided their client bases according to various risk characteristics, offering lower rates to existing customers with good payment records while charging relatively high rates on cardholders that are higher-risk or late-paying. What is more, many issuers have tried to gain or maintain market share by providing very low, introductory rates on balance transfers.

Over the past few years, merchant credit card account competition has led to significant shifts in market shares among the biggest providers. The majority of the larger issuers have expanded by acquiring portfolios from smaller competitors or by merging with other companies. Additionally, several of the more rapidly expanding companies in recent years seem to have enhanced their market share by providing comparatively low interest rate cards and attractive balance transfer rates. Others have increased market share through co-branding and similar rebate strategies, usually combined with waivers of annual fees.

Aggressive competition for customers among merchant credit card account providers in 2005 was at least partly responsible for a 5 percent increase from 2004 in the number of MasterCard and Visa cards in circulation, to a grand total of 595.2 million. The number of cards per consumer rose to an estimated 4.95. While the number of cards in circulation kept growing from 2004 to 2005, the growth rate was moderate, indicating that the market was becoming somewhat saturated.

Direct mail offers are still the primary marketing channel. We saw a new record in 2005, with 71 percent of U.S. households receiving an average of 5.7 offers per month in their mail boxes.

E-Commerce Credit Card Processing Suspicious Transactions

E-commerce credit card processing retailers should devise internal policies and procedures for managing out-of-the-ordinary or suspicious transactions and provide sufficient training for their sales personnel. Being able to identify suspicious transactions may be especially important for merchant account users involved in telephone payments, and employees should be provided clear instructions on the procedures to take to validate these transactions.

Your sales staff needs to be looking out for any of the following indicators of suspicious consumer behavior:

• Hesitation. Look out for customers who hesitate or are uncertain when providing you with personal details, such as their ZIP code or the spelling of their street or last name. This is usually a sign that the customer is using a false identity.
• Rush orders. Requests for a quick or overnight shipping - the consumer who needs to get the product immediately - should provide another red flag for probable fraud. While oftentimes completely valid, rush orders are among the most common signs of "hit and run" fraud schemes designed for obtaining products for a quick resale.
• Random orders. Look out also for consumers who don't seem to pay much attention if a given item is not in stock. To reiterate, sales of this type may be designed for resale rather than for personal use.
• Suspicious delivery address. Examine and flag any sale with a shipping address that is not identical with the billing address on the consumer's account.
  • Requests to deliver products to P.O. boxes or an office address are not seldom linked to fraud.
  • Keep track of ZIP codes associated with high fraud rates and validate any sale that has a delivery address in these locations.
  • If your e-commerce credit card processing organization does not usually service international customers, be cautious when delivering to addresses outside the U.S., especially if it is a new customer or a rather large order.

In evaluating what looks to be an atypical order, bear in mind that if the order looks too good to be true, it most likely is.

Historical evidence suggests that online orders with these characteristics can be indicators to possible fraud. Suspicious web-based transactions are much like those in other non-face-to-face settings, although the web provides additional opportunities for online scams. The above list of possible fraud characteristics - compiled from the lists of industry experts - is provided to help you prevent fraud. An e-commerce credit card processing transaction with any one of these signs by itself is rarely a cause for alarm. When you discover several of them, this may be telling you that fraud may be taking place.

Credit Card Processing Companies Risk Exposure

Merchants and credit card processing companies who store magnetic stripe information provide fraudsters with an appealing and vulnerable platform from which to collect sensitive account information. As the very essence of mag-stripe information theft keeps evolving, so does the requirement for retailers to continually strengthen their security controls and greatly limit their exposure to data compromise risk.

How Credit Card Processing Companies Can Limit Risk Exposure

• Achieve PCI compliance. Merchants should work with their credit card processing companies to understand their data security role and what is required in regard to PCI compliance.
• Do not keep mag-stripe information after obtaining transaction authorization. The entire contents of track data, which are read from the magnetic stripe by the POS device, must not be stored on any system after an authorized is received. If kept in a PCI-compliant fashion, the account number, "Good Through" date, and customer name are the only pieces of track data that can be stored.
• Examine your current or pending payment applications. Perform a thorough evaluation of all such applications to ensure the non-storage of mag-stripe data. Verify the security of these applications using Payment Application Best Practices (PABP), which can be obtained from your credit card processing companies.
• Report any account breach immediately after discovering it. If you suspect that such an event has taken place, alert all involved parties right away. Send a list containing all compromised card account numbers to your credit card processing companies within one business day. Keep in mind that the sooner you notify your bank for an account compromise, the sooner you shut the door closed for any counterfeit fraud and minimize your exposure.
• Understand your liability for information security issues. Many merchant processing services contracts explicitly hold the retailers liable for any losses resulting from compromised account data if the retailer (and / or its service provider) lacked sufficient data security capabilities.

In the end of the day, an extra effort in prevention can go a very long way, as any costs that retailers and credit card processing companies expend up front to protect mag-stripe data are most likely going to be far lower than what they could end up paying in overall liability for data compromises.

Acquirers are liable for no more than 80 percent of the total number of card accounts implicated in a mag-stripe data compromise. The remaining 20 percent is the rough percentage of accounts that typically will need little or no work by the issuers.

PIN Security and Key Management in Processing Credit Cards

All banks, retailers, and service providers processing credit cards that manage cardholder PINs and encryption keys must be fully in compliance with the PCI PIN Security Requirements. Here are some best practices on how to do that:

• Use compliant point-of-sale (POS) equipment. Buy only POS terminals that have been PCI authorized. Work with your credit card processing companies or Encryption and Support Organization (ESO) to devise a plan that ensures that all installed attended POS terminals are approved by Visa and MasterCard and are using Triple Data Encryption Standards (TDES).
• Do not store PIN blocks. Although PINs are safeguarded in an encrypted or enciphered mode within a transaction message, they must never be stored in transaction journals or logs subsequent to processing credit cards. Many processing settings have programs that are designed to overwrite or mask PIN blocks. Still, any acquirer of PIN-based payments must examine all inbound and outbound PIN-based messages to make sure that there is no logging of PIN blocks within any given system. Moreover, any temporary logging function for payment research or troubleshooting must provide for the active removal of PIN blocks. This rule helps prevent collecting and subsequent attacking of any large storage of logged encrypted PINs.
• Always manage secure key injection procedures. When POS PEDs and host security modules are first installed, they must be safely loaded with encryption keys. Irrespective of the kind of tamper-resistant security terminals being installed, the principles of dual control split knowledge must be kept in place at all times to ensure the secrecy of the key being used. Additionally, retailers processing credit cards must design procedures that prevent any given person from having access to all constituents of a single encryption key. If a retailer uses an ESO for key injection into a POS terminal, the processor must register the ESO with the Associations.
• Use only keys for a single purpose. To minimize the magnitude of data exposure if any key is compromised, encryption keys must be used solely for their primary intended purpose. This concerns all keys used in POS terminals and network processor links. Production keys must not be shared or replaced within an organization processing credit card's test system. All master keys or additional keys used in any production or test setting must be unique and unique for each environment. The use of any production key in a test system setting is a high-risk violation. Any production key compromised in the test system or any key that has been encrypted with such exposed keys is to be considered compromised and must be immediately replaced.