A core philosophy at Smyth Retail is to provide as many open system solutions so our clients aren’t locked into proprietary hardware, software, supplies or services and can retain a competitive buying position. In this case, we are well supported by Datacap Systems, who has been our credit card processing partner since the 1980s. While many software companies lock their clients into a specific credit card processor, the NETePay solution supports every major processor in the market place. Yet, we strongly recommend against any processor except Mercury Payment Systems – based on our primary concern for your security.
We are asked everyday by clients if we can support other processors who offer better rates, have attractive services packaging or where personal loyalties might even dictate a processor choice. While we understand the desire and need to shop the market, it is important to make sure the risks associated with choosing other processors are understood.
Does Smyth get a kickback from Mercury? Before we go any further, we should dispel the issue of whether there is a kickback to Smyth Retail from Mercury. We do charge support fees specifically for credit card processing for any processor. Mercury does pay that support fee for you – just as they pay a significant upfront cost for the required Datacap NETePay software that we need for credit card processing. It’s part of their offering and appeal; it’s one of the reasons we partnered with them. But money is not a motivator in our offerings or decision to support Mercury over any other processor.
Our main concern regards our clients’ security. With the latest P2Pe technology, the card holder information is encrypted by the credit card reader at point of sale and securely transmitted to the Datacap NETePay software which then decrypts and re-encrypts the request and forwards it to the processor for approval. The whole advantage of P2P encryption is that even if your network is breached, the credit card information is protected by a complex encryption algorithm so cardholder information is never passed “in the open” through the network. The real advantage of Mercury Payments Systems is that they host the Datacap NETePay software on their servers that in turn communicate with the processing network. With Mercury, the card is encrypted at POS and never decrypted until it’s on Mercury’s server (and if it’s breached there, it isn’t the retailer’s responsibility and liability).
When we use other processors, the NETePay must be installed on the retailer’s network instead of on the processor’s. This means that all the benefits of using P2P encryption to protect the data as it passes through the network are lost when the NETePay software decrypts the card information and communicates with the processor. It is this added security risk that we believe is an unnecessary risk for the retailer.
To complicate security matters, there are two types of card processing supported by other processors: host based and terminal based. In host based environments the Bankcard Processor stores approvals and committed transactions at the time they are processed and batches are automatically settled nightly. However, in terminal based environments, the card holder data is stored in the NETePay software until manually settled by the retailer each day. This involves additional security to protect sensitive cardholder information that is stored (and available) temporarily on the retailers’ system. In either case, the NETePay software must be protected.
The important thing here is that the best security isolates the retailer as much as possible. We work hard and invest a lot of resources to understand the best way to secure our clients. We feel that even the strongest cost savings don’t offset the security risk. The good news is that some other processors are beginning to offer hosting for the NETePay server and we encourage that approach.
Beyond Security
As behind the scenes specialists in helping systems integrators and software developers like us maintain compliancy, Mercury Payment Systems has proven to be a great partner in helping our clients meet PCI requirements very inexpensively.Their Merchant Secure Assist program makes it easy to complete the required PCI Self Assessment Questionnaire and will provide the required quarterly vulnerability scans so you can stay compliant. We are confident that with our joint solution that you will never need the $100,000 breach assurance they underwrite.
While we are happy with our close relationship with Mercury, what’s more important is that to Mercury we represent hundreds of retailers. If our clients are suffering from high rates or service issues we have influence that we won’t have with a processor selected by only one or a few of our clients.
Technology Update
What may be more important to understand is the potential influence of the coming EMV Mandate on future credit card processing. Card processing devices will need to be replaced to support EMV Smart Cards as well as Near Field Communications needed for mobile wallets such as Apple Pay®. The new standards of EMV Co. require that each processor identify specific processing protocols and specific credit card devices. While we will continue to support as many options as possible, certainly early market solutions will be limited to a reasonable number of devices and service providers.
Tim Smyth says
A quick update to this post. When using the new EMV solution, Mercury/Vantiv doesn’t provide the same benefit as the NETePay solution has to be installed on the merchant’s network for all processors, including Mercury/Vantiv.