Mind The Gap

Ok, so you get classified at a merchant level based upon some critera that seems to center mostly around how many transactions you run.

• Level 1 = Any merchant that meets one or more of the criteria:
• > 6 million of any type of Visa transactions per year
• Has suffered a hack or attack that resulted in cardholder data compromise
• That Visa determines (“at it’s sole discretion”) should meet the Level 1 requirements to minimize risk to Visa
• Identified by any other payment card brand as Level 1
• Level 2 = Any merchant with 1 million to 6 million of any type of Visa transactions per year
• Level 3 = Any merchant with 20,000 to 1 million Visa e-commerce transactions per year
• Level 4 = Any merchant with:
• < 20,000 Visa e-commerce transactions per year
• < 1 million of any type of Visa transactions per year

Each classification has to meet some different rules on compliance validation.

1. Level 1 has to complete on-site assessment by a qualified security assessor (QSA) and get their network scans promptly on schedule. (9/30/04)
2. Levels 2 and 3 must complete and turn in a self assessment questionnaire and get their scans from an approved scanning vendor just like the top level. (9/30/07 for new level 2 merchants, 6/30/05 for the rest it looks like)
3. Level 4′s are supposed to do the self assessment and also get scans, but the de facto requirements and dates are determined by the merchant’s acquirer…

So…it looks like if your acquirer is willing to take the risk on you, they can allow you to remain non-compliant as long as you classify as a Level 4 merchant, if you move into the upper levels, it’s sort of out of their hands and the rules are set by Visa (unless they want to take fines for you for non-compliance, and why would they…from what I’ve read those usually get passed on to the merchant, sometimes with a markup).

Here’s the part that get interesting and I’d like to hear about if anyone knows. An acquirer told us that Visa debit/check card payments do not have to count towards the ‘credit card’ transaction count. If that’s the case, then if you identify payments that are Visa branded debit cards separately from ‘real’ credit cards in your system, then your overall transaction count may go down considerably, thus pushing you into a lower merchant bracket and softening your compliance requirement, or compliance validation activities.

Is this for real?

The other thing I want to know is, if this is currently for real, am I unreasonable for thinking that it’s only a matter of time before the requirements tighten up to cover this gap on Visa debit cards?

I suspect that a Visa branded card that goes straight to someone’s checking account, while Visa is probably not at risk of liability for fraudulent charges, someone has to be (either the consumer directly, or the consumer’s bank that issued the card). For this reason, and since this is still ‘real’ money (arguably more real than credit card money, as it dissappears from your checking account right now, rather than you paying it next month in your credit card bill), wouldn’t the cardholder data need to be held to the same standard of security regardless of if it’s a check card or a true credit card?

Anyone out there that happens to stumble across this and has some thoughts on the matter, please take a couple minutes to leave them in a comment. For now I’m going to go see if pcianswers.com has anything to say about the matter.

–Heather

–Update: I emailed the AskVisa address on Visa USA’s website to ask them if this filtering of what counts as a Visa transaction was legit. They informed me to ask the bank. I suppose I have to try to get to someone in the particular bank that raised this advice that is more familiar with compliance than the sales rep to see what the situation is.

In any case, I wouldn’t advise considering this filtering as anything more than a temporary repreive to earn a company more time to beef up compliance efforts, because if a business is growing, they’ll eventually hit a higher merchant level anyway, and it’s presumably only a matter of time before eitehr PCI (or another standard) explicitly covers visa check cards.

–Update: I was able to clarify what I meant and my question has been sent on to the CISP group.

–Update: I just received word back from Visa, and the word from the CISP team about transaction volumes is this: “Transaction volume is based on the aggregate number of Visa transactions (inclusive of credit, debit and prepaid) from a merchant Doing Business As (“DBA”).”   Also, after getting in touch with the rep from our bank-ish entity (who had been out of town) I found they were talking (to my bosses) about an entirely new product they’d like to sell us (that we’d then need to integrate) to process pinless debit transactions completely outside of Visa, rather than a behind-the-scenes way to tell between visa debit and visa credit in our existing API.  This separate product may or may not turn out to be worthwhile, but it’s nice to know that my initial reservations at what was relayed to me about the visa debit thing were in fact due to something not lining up right (particularly, my lack of information about the pinless debit option).  On to investigate further.

Yesterday I had the day off from work. (Wooo!) It was a very nice day too. Started by sleeping a bit late, grabbing some breakfast, then running all over town looking for some supplies for projects I had in mind. Needed to get prepped up to redecorate a plain denim jacket, and needed to get stuff to remodel the dining table and chairs.

I couldn’t find any decent cheetah or leopard print like I had hoped for, but I did find some super cute cotton flannel stuff with sailing ships and compass roses all over it, old school style. Here is a picture that comes out pretty poorly. The fabric is cool though, just trust me.

After finding this fabric, and completing the rest of my errands (like lunch) I headed back home to get started. I disassembled our existing mismatched set of chairs (gathered at thrift stores and the like) and spray painted each a different color. One is a textured bronze/copper color, one is gold with white ‘stone’ flecks (used special stone textured paint), one is white with gold stone flecks, and the last one is just gold (it has a wicker style back, so the textured paint probabl wouldn’t have come out well).

While these were drying I started recovering the seats from all the chairs with the new fabric. Most of them were pretty easy, but the one shair that has a cushioned back was a bit of a challenge because there weren’t really any good places to hide the staples when recovering the back. I sorta made a ‘seam’ with them along the bottom where it would be harder to see. I’m pretty proud of it, the back cushion being curved made it a challenge to get the covering to lay smoothly.

Here are some crappy cell phone pictures of the chairs:

Well, after that I was on a roll, and by then Ryan had gotten home from work and we’d eaten dinner, so I decided it was time to start that effort to paint the dining table. My dining table is a beast, it’s got to weigh at least a hundred pounds. It was a small meeting room table from the bank my mom works at, and so it was free from the bank’s redecorating efforts (yeay!) but it’s also a weird rose/mauve color (formica counter top stuff) with a wood edging that is very pretty but heavy, and a column style base that seems to be made of solid lead.

I had read that one could revamp old formica counter tops by scuffing them, painting very carefully, building up thin coats of color, then sealing it very well. Since the dining table would take less abuse than the counter tops, I thought it was worth trying. So we scuffed the table top up, taking care not to mess up the wood part, and then began plotting out the lines to put a nice compass rose in the center of the table to go along with those in the chair fabric. The lines that radiate out from the center to make the frame for the rose also divide the rest of the table into nice wedges, so we’ll alternate them light and dark blue (sea by day and sea by night). Ryan helped with the base coating after also helping with the scuffing and tracing of the lines across the circle to shore up the picture.

After the sea and the compass rose are done, I’ll add some ornate letters for the cardinal directions, and maybe some mermaids, anchors, giant sea monsters, shipwrecks, etc about the oceanic portions of the table. Then we’ll seal it all up good and call her done. I’m pretty excited about it, should be fun.

Pictures of table:

Pretty stoked. My hand hurts from using the staple gun so much, and my back hurts from the odd angles one must stand at while working on chairs with no outdoor work bench type thing, but I think it was worth it. Although I might try to talk Ryan into getting saw horses and plywood so that I can create a temporary outdoor work bench when i’m doing the spray painting and what not.

– Update Feb 21: The dark blue portions are painted, and the first two coats of red in the compass rose are in.  Will post more pictures after I have internet at home.

Ok, so, I’m not too fond of the management style of our current president. Being America, for right now it’s ok for me to say that. After all, I voted, and will continue to do so.

However, it irks me deeply for others with similar opinions to try to spread them by spamming folks. It simply kills the credibility of the dissent to resort to the same tactics used by those trying to sell prescription painkillers and diet drugs from across the border. People won’t take you seriously, and you make it harder for the rest of us.

Stop doing it.

I have enough spam comments to delete already. If you could, at least upgrade your spamming bots so that your random comments show up on posts where folks are talking about politics, you’d likely win more listeners that way.

Name: Antibush

Bush goes ballistic about other countries being evil and dangerous, because they have weapons of mass destruction. But, he insists on building up even a more deadly supply of nuclear arms right here in the US. What do you think? How does that work in a democracy again? How does being more threatening make us more likeable?Isn’t the country with
the most weapons the biggest threat to the rest of the world? When one country is the biggest threat to the rest of the world, isn’t that likely to be the most hated country?
Our country is in debt until forever, we don’t have jobs, and we live in fear. We have invaded a country and been responsible for thousands of deaths.
We have lost friends and influenced no one. No wonder most of the world thinks we suck. Thanks to what george bush has done to our country during the past three years, we do!

I have in the last couple days deleted, no shit, 12 comments that were attempting to sell some manner of prescription medication.

The pipe in the wall where the washing machine’s hot water spigot connects was very corroded. We discovered this today, as the pipe broke off inside the spigot, while we were sorting out unhooking the old washer to hook up the new one.

http://www.mokeys.org/blog/?p=24

Saving this one for posterity.  It’s a little wacky, but has tons of recipes and meal planning/grocery budgeting stuff.
http://www.hillbillyhousewife.com/ 

Day 6: Laid around the condo, rode into sugar house and ate curry, ate dinner at a japanese steakhouse.

Day 7: Made it through airport security and spent several hours on planes. The flight from St Louis to Tampa was a bit choppy. At one point the pilot ordered the flight attendants to their seats over the PA, and took the plane down to a lower altitude to hopefully escape the bumpy air. This worked ok, but he could have sounded more calm and collected about the situation.

At least the TSA (Transportation Security Administration, I believe) allowed me to bring my tiny bottle of lotion (for my tattoo) on the plane. A gothy-type chick working at the security checkpoint asked me where I got my earrings and said they were cool, so I guess that’s a plus.

SO GLAD TO BE HOME!!!

The trip was fun, but I like my cozy little bubble and I’m glad to be back in it.  It was too cold up there and the air was way too dry.  Pretty sure I’m actually amphibian.  Like a lot of water in my air.

Ok, bedtime now, lot of packing to do tomorrow – the closing is Tuesday!

It snowed again last night, more fresh powder. It also snowed during the day for a little while.

Elecia and I ventured into Sugar House to shop. We poked around antique/consignment shops, and a couple boutiques. She found some pretty antique earrings. I found some cool new shoes, a pair of earrings, and some old school letters (the big kind like you might find on a sign) for Ryan and I’s initials. I’m going to paint them and put them in the house after we get moved in. The stuff I got is super cool, so maybe I’ll take some pictures later.

The boys were more sporting, some went to solitude. Ryan and some others from the group went to Alta. While I didn’t photograph my shopping expedition, Ryan did take some photos from his excursion, so here they are.

After everyone got back, some of the fellas (much hurting from their exertions) attempted to get into the hot tub. They came out after a few minutes red like lobsters. The temperature is rather too hot, and we couldn’t find the mechanism for adjusting it, unfortunately.

Now they are playing poker:

And for extra credit, a picture of the pets that I found on Ryan’s phone today. I miss our puppers.