It is rumoured that MasterCard is currently investigating PaySystems and other payment processing companies to investigate if they comply with their new rules. It is even rumoured that PaySystems has been shut off by MasterCard. Can anyone find out if this is true? Why is MasterCard doing this? I know that internet businesses are considered as a high risk business, but shouldn't MasterCard take care of those online pharmacies and other bogus internet businesses instead of the payment processing companies? Since last year, VISA and MasterCard have made payment processing for high risk businesses a total fluke and these businesses are threated like criminals. They keep on coming with new regulations every month which every merchant has to follow. It seems like they have a monopoly position because payment processing companies that don't comply with their rules can even get fined for $2,500 a day!

By the way: This also means that every merchant using the payment gateway must comply with these rules and can be shut down immediately. The fines that the payment processing company will get will be deducted from the merchants balance. Doing online business will be the same as opening a bank account in the future.

Paysystems is a third party processor. They are always being investigated. When Paypal sold to e-bay, it was also rumored that Visa was going to shut them down.

Mastercard & Visa do not like third party processors at all. A lot of times, they do not know where the money is going.

There are news services being developed now to hopefully combat some of this.

Mastercard & Visa do not write as manu new rules as they re-interpret their existing ones. If things are not going their way, they basically tell you that that is not how it was supposed to be interpretted.

MichelH,

I see where you are coming from about Visa and Mastercard. They do have a "zero tolerance" approach to dealing with corporate entities that accept their cards.

It seems unfair, but I'm glad its just not me.

My only suggetion is don't mess with them.

Corey- Just curious, what are some of those new developments?

Stored Value cards is one. They still use the network but depending on the company that issues them, their rules are lax. We have been testing some actually with some different groups via an Employee Benefit group.

We just now spawned another company to create the same thing & use our existing network to launch these types of cards. Transferring the money from one card to another is the hurdle we have currently hit. It is just interesting at what has to be done.

Yes - I know there are other cards like this out there and marketing is one. We are not actually marketing the card - the companies that want to use it are.

I think though that these stored value cards are going to be more valuable than what people realize. They actually tuned me down about 6 years ago because people thought that the idea would never work. Now it is being viewed differently.

It just point out that for credit card processing like most forms of business you are better off doing business with the source when possible then it's suppliers.

Well, I think that this kind of monopoly is not even allowed. Secondly, what happens if an online shopping mall using an IPSP is sending all their orders through the gateway of the IPSP? The shopping mall has different online stores within their database. So you are telling me that MasterCard wants to see an agreement between the shopping mall and all of the online stores that are using the interface of the shopping mall? This would be kind of how 2CO works, right?

Yes, they would like to see an agreement, but not between 2CO & the stores, but between MasterCard & the stores. They like to know where their money is going.

Well, I think it is impossible for MasterCard to demand this as not all online stores can apply for MasterCard directly. This would mean that all the suppliers that use an online shopping mall to sell their goods, would have to have their own connection to a gateway or directly through a bank to accept credit cards and are no longer allowed to accept credit cards through gateways like 2CheckOut because when entering the store directly you have to end the payment process through another gateway than 2CheckOut if this is true. Unfortunately, I do think that this is what MasterCard wants. In my opinion, Visa/MasterCard are trying to set new standards, which is okay. What is not okay, is that they (especially MasterCard) try to force everyone to be compliant with high fines and threatening to shut them off. According to EEC rules, this might be a kartel, which is not allowed. Any legal experts out there who would like to discuss about this?

It is rumoured that MasterCard is currently investigating PaySystems and other payment processing companies to investigate if they comply with their new rules. It is even rumoured that PaySystems has been shut off by MasterCard...

This is true but possibly exaggerated. All the card companies are implementing new security rules and HIGHLY recommending compliance and even threatening fines and shut-offs. The card companies are starting at the top with the banks, processors, gateways and third-party processors and then work their way down.

The problem is that there is a disconnect between the persons that make the rules and the persons that enforce the rules within these companies. The people that make the rules are thinking about fraud liability; the people enforcing the rules are thinking lost revenue if they piss too many merchants off. Because of this, enforcement of these rules, thus far, are just idle threats. I've heard that Verisign has as much as told VISA and MasterCard to go piss up a rope yet I have not heard any rumors that Verisign is going to be fined or shut off.

Most likely, enforcement of these new rules will somehow be rolled up into the fees the merchant pays – if you, as a merchant, comply with CISP and the other mandates, and you only use compliant systems between the cardholder and the bank, then you will pay a slightly lower rate that the merchants and systems that don't comply.

Until some sort of consistent enforcement structure is adopted (fees or otherwise), the enforcement will be limited to saber rattling and possibly fines for merchants, third-party processors, gateways or banks that actually get hacked and it can be determined that non-compliance to these new security rules attributed to the event.

BTW, I'm not advocating non-compliance with these new regs and mandates, quite the opposite; I advocate immediate compliance regardless of the enforcement methods or threat of fines. Lack of security is not just a black eye to the payment industry; it is a black eye to the entire Internet e-commerce community.

What are some ways in which you can avoid the CISP?

What are some ways in which you can avoid the CISP?
I can't think of any reason why you would want to avoid CISP. CISP stands for Cardholder Information Security Practices and most of the requirements are common sense practices if you don't want to be ripe for hacking...

Some companies have been solid and safe and have never been hacked and still have to obey these new rules. You can't tell me that this is just a safety measure. They want to rule the whole industry according to their standards. Some third party processors have been doing great and never experienced any problems, until MasterCard compliance issues came in. They seem to hate third party processors for providing a great service to smal and medium internet vendors and in the end they are still making a fortune out of it. Like I said before: it is okay to set new standards, but give companies a chance to implement these rules, instead of making deadlines. They act like a dictator.

...it is okay to set new standards, but give companies a chance to implement these rules, instead of making deadlines. They act like a dictator.
At some point they must act like dictators. CISP has been around as a voluntary program for almost 4 years with very few companies taking it seriously. Yes, there are good processors and gateways out there, but this is a case where a few rotten apples spoiled the batch.

Also, I truly believe that the card associations got pushed into this dictatorship in the security area. After 9/11, the US government (and others) told the associations to get their act together or the government would do it for them. While I don't think that CISP (et. al.) is perfect, government involvement would only make for another bureaucracy where NOTHING would get done.