Tuesday, July 17, 2012

A Few Good Methods for Processing Credit Cards

Tips for nonprofits and libraries to process credit card transactions both online and off

By: Laura S. Quinn and Kyle Andrei
August 15, 2011

This article — originally written in 2008 — is courtesy of Idealware, which provides candid information to help nonprofits choose effective software. For more articles and reviews, go towww.idealware.org.
Once you’ve read through the different methods for processing credit cards, read Getting the Best Prices for Processing Credit Cards to understand rates and fees from credit card processing vendors.

Accepting payments by credit card is not necessarily difficult or expensive. We provide some tips and tools to process credit card transactions, both on- and offline, for organizations of all sizes.

Maybe you’re hoping to process payments made by donors over the phone, or to allow on-site registration at your next conference. Perhaps you want to take credit card payments at a T-shirt booth at a concert, your library’s gift shop, or a craft fair or farmer’s market. What’s involved?

The world of credit cards is complex, and there are a number of ways to accept them as payment — some of which require different types of hardware and software, and relationships with banks. We talked to six nonprofit staff members and consultants with a lot of experience in credit card processing to better understand the options and combined their recommendations in this article.

Security First and Foremost

Taking credit card payments requires you to sign an agreement to uphold the Payment Card Industry Data Security Standard, commonly known as PCI requirements. Any method will require some vigilance, like making sure payment hardware and software is secured, but some will be more security-intensive than others. For instance, using a card imprinter (described below) will require that you document and enforce procedures for handling and subsequently destroying imprinter slips, while using a terminal or online payment method — which makes it harder for anyone to get at credit card information — requires less of a security effort.

Violating the PCI requirements can result in a substantial fine and the loss of your ability to accept credit card payments. If the information gets into the wrong hands, you also risk losing your constituents’ trust.

Three Steps to Processing Credit Cards

Weighing your options for processing credit card payments requires a basic understanding of how the system works. The multiple steps are complex, and can involve a number of different vendors and entities.
  1. Collect and enter credit card information. In order to process a payment, you’ll obviously first need to collect the credit card information from the person making the payment and transfer it — either electronically or manually — to a service that can actually process it. This step can range from writing down the card information and sending it to your bank to typing it into an online system or swiping the card through a specific kind of hardware.
  2. Authorize and commit the charge. Once the payment information is entered, it’s transferred electronically to a payment processor that authorizes it by checking to see that the credit card account exists and has enough money to cover the charge. The processor then charges the card. Whichever method you use, you’ll have some kind of processing specialist in the mix who will manage the electronic flow of money for credit card transactions. They typically do very little else, so they tend to work hand-in-hand with another system that provides the interface to enter information and handles any other needed functionality.
  3. Deposit money to bank account. Once the card has been charged, there’s a critical step: receiving the money. The payment processor always deposits the money in a bank account called a “merchant account.” Money is then automatically transferred from your merchant account into a bank account from which you can actually withdraw it.
For most of the methods covered here, you’ll need to open a merchant account through your bank or one recommended by your payment processor. Like any bank account, you’ll want to shop around, as rates vary. These accounts define the base amount you’ll pay for each transaction.
Because credit card companies also charge a per-transaction fee, there will always be some fee involved, but the size and terms can vary substantially. For instance, a merchant account might charge you $25 per month plus 2.2 percent of each transaction — a good rate, applicable to an organization with a high volume of transactions. Or they might charge a simple 2.8 percent of each transaction with no monthly fee, which could be more appealing if you’ll have a low volume of transactions.
If you want to take online payments, make sure your merchant account allows them. You might want to choose an online payment vendor first and ask them for recommendations for a merchant account bank to make sure it’s compatible with your online payment method.

Credit Card Processing Methods

That’s how it works. But how do you start actually taking credit card payments? There’s a wide variety of methods, each appropriate to different situations.

Credit Card Imprinting Machines

Credit Card Imprinting Machine
The simplest way to process credit card transactions is also the one that’s been around the longest. Imprinters, those little plastic swipe machines that carbon copy the credit card, make quick imprints of the credit card information for you to process later. The downside is that, if a card is declined, you won’t find out until long after the payer is gone, and you might have to work to track them down. You can generally get an imprinting machine for free, or for a small fee, from the bank where you opened your merchant account.
Imprinters are an easy and inexpensive way to collect information on site. However, you still need to process the charges later using one of the other methods, and there’s a substantial risk inherent in carrying imprinting slips around, as you’re essentially carrying a stack of credit cards. If you lose the slips, in the best case you’re out a bunch of payments. In the worst, you may have just funded some nefarious person’s taste for expensive electronics and exotic trips.
Imprinters make the most sense when you only need to take a few payments in some kind of temporary location. They’re a short-term, quick-fix type of processing method rather than something you’d use to process a volume of credit cards over a long period of time.

Bank Processing

If you’ve collected credit card information — via an imprinter or through mailed-in donation-via-credit-card forms — one of the most straightforward ways to process the charges, though likely not the cheapest, is to ask your bank to do it. Many banks will run these payments for organizations that have merchant accounts with them.
The payments are then deposited into your merchant account and make their way into your regular bank account within a few days. The bank is responsible for destroying the paper forms, reducing your risk. If you almost always receive your credit card payment information in paper, bank processing can make a lot of sense.

Credit Card Terminals

Credit Card Terminal
If you need to take a higher volume of payments in on-site situations, consider investing in a credit card terminal, also called a “swipe terminal.” These small machines allow you to swipe a credit card, enter the payment amount on a keypad, and then process the payment — and, in many cases, even print out a receipt. In most cases, you can buy them for a couple of hundred dollars from the bank that hosts your merchant account, or rent one for a particular event.AuctionPay and sites like it rent terminals with a focus on nonprofit events. [Editor’s Note: TechSoup offers discounted terminals and merchant accounts to nonprofits and public libraries through its programs with Dharma Merchant Services andSage.]
Terminals may require a power source, though some run on batteries. They also require connectivity, generally a telephone line, to process credit cards in real time. Some allow you to store transaction information to process when you can connect to a phone line. Unlike imprinters, the terminal stores the information internally so it’s more secure, and so you won’t have to enter it later, but you still run the risk of not receiving payment for any declined cards.
Terminals are widely used and effective in a number of different situations, from on-site events or a development office that needs to process a lot of phone credit card donations to gift-shop type settings. However, integrating terminals with other databases — say, to process a donation and record it at the same time to a constituent record — can be difficult. If you need to do a lot of this, one of the other methods might work better for you.

Mobile Devices

An alternative to portable credit card terminals, smartphones, or other mobile devices (like iPads) can now process transactions over 3G or wireless connections. They do this by either manually entering card numbers or — with inexpensive additional hardware — swiping cards directly. This functionality can be provided through a vendor, likeSquare or Sage, or you can download a card reader app for free or at a low-cost.
This method has the advantage of portability, as you can process transactions anywhere you have phone reception, and requires less hardware to purchase provided you already have a smartphone or other mobile device. Vendors will often include a processing method, factored into the cost of the product, while the apps will work with online processing services like Authorize.Net.
There are security issues to consider, though. Does the app you’re using encrypt the numbers for protection? When a card is swiped, does it show the full number, or just the last four digits? Are the credit card numbers actually stored on your device? They shouldn’t be. Remember, too, that if you plan to leave your device somewhere, like a storefront, that they are much easier for a thief to steal than a credit card terminal, and a more attractive target.

Swipe Hardware

To save time over manually entering every credit card transaction, consider hardware that lets you swipe cards. You can buy such devices to connect to a laptop or personal computer via USB, or to most mobile devices — even Apple products. They range in size from a basic, small card reader to something that can actually hold your mobile device, often extending battery life. These readers can run from about $20 to $150 or more. One mobile payments company,Square, provides their mobile card reader for free to new customers.

Virtual Terminals

A “virtual terminal” allows you to enter credit card and payment information into an online form and process it over the Internet. You can “rent” a virtual terminal from an online payment processing specialist, such as Authorize.Net, usually for some combination of a monthly fee and a percentage of the transactions.
Virtual terminals don’t often support swipe hardware, and thus require you to take the time to manually enter credit card information, and they don’t integrate easily with constituent management systems. Such limitations mean they’re probably not the best solution for processing a lot of payments, but they can be convenient options for processing a few payments if you have an Internet connection.

Online Payment Processors

A huge number of online payment vendors specialize in specific types of online payments. For instance, it’s easy to find vendors who support online donations, event registration, or item purchases. While these vendors typically provide an interface optimized for your constituents to submit payments on their own, most work perfectly well to allow your staff to process payments as well.
Does your staff get registration requests by phone? There’s no reason they can’t enter credit card information into the same interface a registrant would use to register themselves. Just make sure that any automatic emails sent out to the registrant make sense in either situation. This method might even work for in-person scenarios — for example, to process on-site registrations, or sell a few items in a store. Keep in mind that unless you buy some compatible swipe hardware, you’ll need to type in credit card information by hand. This may seem odd to the person paying, as it’s more typical to swipe a card in this situation.
These online payment specialists often offer a number of features specific to their focus area. For example, an event registration tool might allow you to easily track lunch requests and print name tags, while online donation software might support pledges and tribute gifts. For more information, see our specific articles on this topic: A Few Good Online Payment Multitaskers and A Few Good Online Event-Registration Tools.

Payment-Enabled Software

If you’re processing payments that need to interface directly with constituent management software, like donations or membership fees, many mid-tier and advanced software packages let you process payments directly from that software. For example, DonorPerfecteTapestry, and Raiser’s Edge, three of the more popular donor management systems, all allow you to enter payment information into the software and then process the payment and create a record for it in one step. Both DonorPerfect and eTapestry are available for donation to eligible organizations through TechSoup.
This convenient option lets organizations process a high volume of a single type of payment, and saves time-consuming double-entry. Like online payment processors, this solution might also work for in-person scenarios, but is optimized for over-the-phone transactions.

Point-of-Sale Solutions

If you want to take credit cards in a permanent physical location like a gift shop, registration desk, or at cashier station, consider more hardware-intensive options. You’ll certainly want a way to swipe cards and print receipts. You could do both with a credit card terminal, or use separate swipe hardware and a receipt printer. You may also want to add up a number of items and calculate taxes, which terminals typically won’t do. If you often sell a number of items to one person, you may want a price scanner and a display pole (the small screen that displays what you’re ringing up to the customer).
If you’re heading down this path, point of sale software such as CamCommerce or Keystroke starts at a couple of hundred of dollars and helps you integrate all the hardware you’ll need. It’s also very helpful at managing actual inventory.

How to Decide

With so many options, how do you decide what will work for you? Think through the following considerations:
  • Will you have access to the actual, physical credit card? Having cards in hand will save you time. For any volume, you’ll want a method that will allow you to swipe the card rather than typing in numbers, and to print a receipt.
  • Will you have power and connectivity? Processing credit cards without an Internet connection substantially limits your options. Similarly, if you don’t have a phone line, you’ll need to use an imprinter, mobile device, or specialized terminal.
  • Does the transaction need to be stored in your constituent management system? Processing donations or membership renewals that need to be tracked in another piece of software means integration should be a key concern. Payment-enabled software, an online payment processing solution, or a point of sale setup can help.
  • Is this a short-term, low-volume need, or a permanent high-volume setup? The right hardware and integration with other systems can be a big time-saver, but they require some initial up-front investment. Does it really makes sense to use a quick and dirty method like an imprinter or virtual terminal, or will investing in a more-efficient solution save money in the long run?
  • Do you need to store credit card numbers? Doing so in any format requires strict and specific security measures under PCI requirements, and unless you have a thorough understanding of the regulations and have spent the time and money to create a system that is in compliance, you’ll want to use an online payment processor or payment-enabled software to handle recurring transactions.
  • What will your constituents expect? Don’t forget this important consideration. Be careful of methods that require you to gather someone’s life story in order to run a simple payment, or require your staff to go through strange and time-consuming machinations with a constituent standing in front of them.
It can be complicated to understand your options in processing credit cards. Many of the methods themselves are actually quite straightforward, however, and every organization should be able to find one that’s suitable. Whether you’re taking donations, registering members or attendees, selling T-shirts, or running a complex retail organization, there’s a method that will allow you to take credit cards straightforwardly and securely.

Thanks to the nonprofit technology professionals who provided recommendations, advice, and other help for the original and updated articles.

Laws for Organizations that Accept Online Payments

Editor's Note: This article was originally published in February 2007, and was updated by Carlos Bergfeld, a web content writer at TechSoup Global.

Due to credit card thefts, identity thefts, and other unsavory online criminal activities, businesses that handle credit card data are required by state and international laws to protect sensitive information or risk fines and penalties.

Many of these laws affect large e-commerce outfits, but nonprofits accepting online donations or dealing with certain types of personal information should also take certain precautions to keep data safe.

Not-So-Secret Identity

Online identity thieves can steal credit card numbers, Social Security numbers, online banking passwords, and other information linked to a person's identity. They can use this information to purchase goods, access bank accounts, and take out loans or mortgages in someone else's name.

Identity thieves also resell stolen identities on a bustling black market conducted in Internet chat rooms. The going rate for a credit card number, the account holder's date of birth, and the card's three- or four-digit security code is $20, according to a CNN.com article.

How bad is the problem? More than 260 million records containing sensitive information have been exposed since January 2005, according to the Privacy Rights Clearinghouse, a website that tracks security breaches.

Every organization that accepts credit cards and other personal information through its website should encrypt that information as it crosses the Internet. But thieves typically don't bother to steal data during transmission; instead, they break into computers that are connected to the Internet, or simply steal the physical machines that store sensitive data.

Laws Mandate Data Protection

Regulatory bodies and U.S. states have reacted to the identity theft crisis by creating rules and laws governing how personal information is to be protected and when organizations are obligated to publicly report a data breach.

Nonprofit organizations that accept credit card donations should pay particular attention to the Payment Card Industry Data Security Standard (PCI DSS) and state identity theft and breach notification laws.

The PCI DSS, which provides explicit guidelines for securing credit card information, was created by credit card companies MasterCard, Visa, American Express, JCB, and Discover after these organizations formed the PCI Security Standards Council.

These rules affect any U.S. organization — regardless of size — that processes, stores, or transmits credit card data. An organization that fails to comply with this standard and suffers a data breach may be fined by the bank that processes the organization's transactions. Nonprofits should contact their bank or card processor to determine if they must comply with the standard.

Different Rules for Different Organizations

Those organizations required to comply with the standard are categorized into four levels according to their annual number of credit card transactions.

For instance, for Level 1 merchants (those processing more than six million transactions a year), compliance means being evaluated by a qualified third-party auditor. Level 1 merchants must also undergo quarterly security-assessment scans. These scans probe the merchant's network for common software vulnerabilities that could be exploited by an attacker, and to assess the configuration of security devices such as firewalls and intrusion detection systems.
Level 2 includes merchants that process one million to six million transactions per year. Level 3 is 20,000 to one million transactions, and Level 4 is fewer than 20,000 transactions.

Level 4 organizations don't have to hire a third-party auditor. Instead, they can perform a self-assessment using a questionnaire developed by the PCI Security Standards Council. There are five versions of the questionnaire, depending on the type of transactions an organization processes, and all questionnaires are available on the PCI SSC website. Level 4 organizations must also undergo an annual security assessment scan from a PCI DSS-qualified organization, known as an approved scanning vendor (ASV). A list of all ASVs is available here, and your bank should be able to recommend an ASV as well.

The complete copy of the PCI DSS version 1.2 is available online.

Level 4 Requirements

Most nonprofits process fewer than 20,000 transactions and will fall into Level 4. The standard consists of 12 requirements that cover a broad range of security issues, from network protection to access controls to creating an information security policy.
  1. Install and maintain a firewall configuration to protect cardholder data.
  2. Do not use vendor-supplied defaults for system passwords and other
    security parameters.
  3. Protect stored cardholder data.
  4. Encrypt transmission of cardholder data across open, public networks.
  5. Use and regularly update antivirus software.
  6. Develop and maintain secure systems and applications.
  7. Restrict access to cardholder data by business need-to-know.
  8. Assign a unique ID to each person with computer access.
  9. Restrict physical access to cardholder data.
  10. Track and monitor all access to network resources and cardholder data.
  11. Regularly test security systems and processes.
  12. Maintain a policy that addresses information security.
The full standard goes into significant detail on these requirements. For instance, Requirement 1 delves into issues of firewall configuration, the creation of a DMZ (demilitarized zone, the common term for a buffer between the public Internet and your private network, in which your internal IP addresses are masked by the IP address of your firewall or firewalls), and the documentation of ports and protocols used by your organization.

Given the complexity of PCI DSS compliance, you should first contact your bank or credit card processor to ascertain whether you are obligated to comply. If you are, the next step is to address each of the requirements laid out in the standard.

Essentially, this means you will identify where this information resides in your organization, according to David Taylor, founder of the PCI Knowledge Base, an independent research community focused on PCI DSS.

"We go into the organization and ask how many servers, how many databases, how many applications use credit card data," said Taylor. "Look at the data flow to figure out how it gets from here to there."

The next question to ask is how your constituents' credit card data is protected when it's stored in your organization's database or on the hard drive of one of your computers. For instance, Requirement 3 specifies the use of encryption for credit card numbers, including on any databases, PCs and laptops, and backup media containing sensitive data.

Circumventing the Issue

For organizations concerned about the effort needed for PCI DSS compliance (which is likely to be significant for small organizations that don't have a dedicated IT or security expert on staff), there is an alternative.

"The simplest and cheapest way to get compliant with PCI is to not have the data," said Taylor.

Taylor recommends finding a third-party service to handle processing for you, so that you don't have to store credit card information on servers or databases that belong to you. Check with your bank to see if it can recommend a reputable service.

Of course, the processor will also have to be compliant with the standard. "Ask for a signature on a letter, or for a certification, which the company should be able to give you," said Taylor.

Another option is to use PayPal instead of accepting credit cards. PayPal, owned by eBay, brokers payments from one account holder to another over the Internet. Accepting donations through PayPal means organizations don't have to process or store credit card transactions — PayPal simply sends the money to the organization's account for a percentage of the transaction and a small fee. On the other hand, credit-card processing companies charge for their services, not per transaction. PayPal offers a special program for nonprofits called PayPal Donations.

PayPal is also established throughout the world, and supports payments in a variety of currencies (including the U.S. dollar, the Euro, the yen, and the Canadian and Hong Kong dollars), making PayPal an ideal option for international nonprofits. For more information, see PayPal Worldwide.

Other organizations offer similar services to PayPal, but tailored to the nonprofit community. A few of these offerings are available to eligible organizations through TechSoup, like BlackbaudNow and Network for Good. BlackbaudNow's fundraising starter kit provides small organizations with tools to create a donation-ready Web site, powered by PayPal. Similarly, Network for Good's internet fundraising services allow organizations with their own websites to add donation buttons so donors can make credit card contributions through the Network for Good secure web server. To find out about other third-party options, read Idealware's article A Few Good Online Payment Multitaskers .

Laws and Regulations by State and Overseas

Nonprofits must also be aware of U.S. and international laws dealing with the privacy of personal information, including credit cards, Social Security numbers, and bank account information. Now, 45 U.S. states have breach notification laws on the books.
The European Union has data privacy laws, known as Directive 95/46/EC (you can download a copy of the law in a variety of languages), but as of yet the EU does not have breach notification laws.

Japan does have a breach notification law, called the Act on the Protection of Personal Information. An English translation of the law is available online.

While the PCI DSS standard lays out specific requirements for securing data, most state breach notification laws have a different purpose. Rather than tell organizations what steps to take to protect information, these laws compel businesses of all sizes to notify customers that information that could be used to perpetrate identity theft has been exposed.

The goal of these laws is to spur companies into protecting sensitive information more carefully, because organizations generally don't like to report data breaches. It's embarrassing, and may cost them in lost business, a damaged reputation, or even lawsuits. The same goes for nonprofits: You may lose both existing and potential donors if donors believe you aren't a good steward of their personal information.

Each state law will have its differences, which means you'll have to do some research depending on where your organization is based. Many state laws also require a company based in one state to report a breach if it exposes personal information of out-of-state residents.

California’s Data Breach Law

California's data breach notification law, SB 1386, requires any person, business or state agency with California residents as customers must report a breach even if that organization company isn't located in California. Nonprofits that aren't based in the United States should consult with a lawyer to determine if they are liable under U.S. state laws.

SB 1386, which went into effect in 2003, provides a good example of the kinds of requirements you'll find in other state laws. It has also been touted as a model for potential federal legislation.
Some of the key provisions of the bill:

First, it compels organizations with California customers to notify those customers about known or suspected disclosure of personal information to an unauthorized person. SB 1386 defines personal information as a person's first name or first initial and last name, in combination with any of the following:
  • Social Security number
  • Driver's license number
  • Account number, debit or credit card number, plus whatever password allows access to the account
Notification can include any one of the following: a written notice, an electronic notice (email), or substitute notice if the cost of notification would exceed $25,000 or more than 500,000 people. (Though this varies by state.) Substitute notification includes email, conspicuous posting on the organization's web page, or an announcement to statewide media.

Note that the bill says organizations don't have to disclose a breach if the disclosure would affect an ongoing criminal investigation. Personal information that was encrypted at the time of exposure would also remove the obligation to notify customers.

Because individual state laws will have their own definitions of personal information and their own notification triggers, organizations that store personal information should consult a lawyer about state and international breach notification laws.

The Urge to Purge

Collecting donor information is a standard procedure for nonprofits, but you must understand the risks associated with that practice, particularly for sensitive data such as credit card numbers. The most prudent policy to follow regarding such information, says Taylor, is, "You don't want to get it, and if you do get it, you don't want to keep it."

Sustainable Development Goals

Sustainable Development Goals
SDGs - Sustainable Development Goals

American Red Cross: Regional Disaster Cycle Services New and Continued Employment Opportunities: 11/14/2019

RC32259 Disaster Program Manager (Aztec, NM) (Open) We are currently seeking a Disaster Program Manager (Aztec, NM) to work in our A...

..Haiti. We will not forget.

Drink Life Beverages ....A Woman Owned Enterprise

Drink Life Beverages ....A Woman Owned Enterprise
Drink for Life. Communities drinking and eating well.


Mission is to increase the diversity of corporate America by increasing the diversity of business school faculty. We attract African-Americans, Hispanic-Americans and Native Americans to business Ph.D. programs, and provide a network of peer support on their journey to becoming professors.

Online Courses Free College Courses