|
Grex > Coop11 > #232: Summary of Grex's Credit Card Experiment | |
|
| Author |
Message |
aruba
|
|
Summary of Grex's Credit Card Experiment
| 
Feb 11 19:46 UTC 2001 |
Here's a summary of Grex's credit card experiment, broken down in detail.
I put my (limited) analysis of the data at the bottom.
Credits (Income)
----------------
Count is the total number of transactions
New means dues from new members
Renew means dues from renewing members
Misc means all other payments (TOP contributions, misc donations, etc.)
Month Count New Renew Misc Total
------ ----- -------- -------- -------- --------
Apr-00 8 228.00 60.00 6.00 294.00
May-00 7 222.00 1.00 223.00
Jun-00 14 396.00 60.00 45.00 501.00
Jul-00 13 204.00 132.00 2.00 338.00
Aug-00 4 204.00 204.00
Sep-00 3 42.00 42.00
Fees related to how much money we got
-------------------------------------
Disc means the normal amount our credits are discounts (3.05%)
NQ means charges applied to "non-qualified" transactions;
we pay an extra 1.65% on these. Don't ask me the difference.
Batch means $.35 which we pay per batch of transactions transferred
to our bank.
Month Disc NQ Batch Total
------ -------- -------- -------- --------
Apr-00 8.97 2.97 1.40 13.34
May-00 6.80 1.09 0.70 8.59
Jun-00 15.28 2.10 17.38
Jul-00 10.31 1.01 2.10 13.42
Aug-00 6.22 1.98 0.70 8.90
Sep-00 1.31 0.30 1.05 2.66
Authorizations and related fees
-------------------------------
Auth means fees for authorizing credit cards. Each authorization costs
$.35.
AVS I don't know what this is, but they cost $.05 each and their number
seems closely tied to the number of authorizations. It seems fair
to call it a "hidden charge" of authorization.
Month Auth AVS Total
------ -------- -------- --------
Feb-00 0.35 0.05 0.40
Mar-00 0.70 0.10 0.80
Apr-00 7.70 0.85 8.55
May-00 15.75 2.15 17.90
Jun-00 8.75 1.25 10.00
Jul-00 9.80 1.35 11.15
Aug-00 74.90 10.70 85.60
Sep-00 236.60 33.80 270.40
Other fees
----------
ChSol means fees paid to Charge Solutions, our front-end provider
CS is our monthly $10 customer service charge
ChBacks means chargebacks. This is what happens when someone uses a
phony credit card, and the real owner of the card complains.
Min is our monthly minimum fee. This comes into play when our other
charges add up to less than $35.
Other Includes a variety of mysterious charges, most notably:
Chargeback fee: $15/chargeback
12B Letter charge: I think this is a $10 fee for sending us a
letter telling us about a chargeback; so call
it a "hidden cost" of chargebacks.
Month ChSol CS ChBacks Min Other Total
------ -------- -------- -------- -------- -------- --------
Nov-99 175.00 175.00 (Application)
Feb-00 10.00 24.60 34.60
Mar-00 26.50 10.00 24.20 60.70
Apr-00 30.75 10.00 3.11 43.86
May-00 42.25 10.00 52.25
Jun-00 18.00 10.00 28.00
Jul-00 19.50 10.00 0.43 12.10 42.03
Aug-00 145.03 10.00 2.10 157.13
Sep-00 .03 10.00 112.69 35.70 158.42
Oct-00 29.00 10.00 90.00 41.05 170.05
Nov-00 10.00 25.00 35.00
Dec-00 10.00 25.00 35.00
Jan-01 10.00 25.00 35.00
Summary
-------
Month Credits Disc Auth Other Net
------ -------- -------- -------- -------- --------
Nov-99 (175.00) (175.00)
Feb-00 (0.40) (34.60) (35.00)
Mar-00 (0.80) (60.70) (61.50)
Apr-00 294.00 (13.34) (8.55) (43.86) 228.25
May-00 223.00 (8.59) (17.90) (52.25) 144.26
Jun-00 501.00 (17.38) (10.00) (28.00) 445.62
Jul-00 338.00 (13.42) (11.15) (42.03) 271.40
Aug-00 204.00 (8.90) (85.60) (157.13) (47.63)
Sep-00 42.00 (2.63) (270.40) (158.42) (389.45)
Oct-00 (170.05) (170.05)
Nov-00 (35.00) (35.00)
Dec-00 (35.00) (35.00)
Jan-01 (35.00) (35.00)
Grand Total 105.90
So, the good news is that we didn't actually *lose* money on the credit card
experiment (at least not yet), in fact we kept $105.90, or about 6.6% of
what people sent us. (That's not quite fair, since I'm including months
when our front end wasn't turned on. But it's pretty sad, no matter how you
cut it.)
That's the end of the good news, though. When we signed on to this venture,
we thought we would have to gross about $900 before we'd end up paying more
than our minimum fee of $35/month. But as you can see, we didn't even pay a
minimum fee in May, when our gross was only $223. What we've learned, I
think, is that getting rate information from the credit card companies
is like getting it from Ameritech: you can't trust them because there are
all kinds of hidden costs that aren't included in the quote.
First of all, there's the authorization fees, at $.35 + $.05 = $.40 apiece.
Even before we got hit with a whole slew of fraudulent authorizations, we
were still paying enough in fees to push us over our minimum monthly
payment.
Then there's the chargebacks. When that happens, not only do we have to
give back the money someone sent us, but we also have to pay a $15 fine and
then a $10 "letter charge". This probably isn't a very common occurence at
a corner drugstore, but for us it's bound to be frequent.
And then there's the Charge Solutions fees, which we were given no hint of
when we signed on. They changed their policy midstream and no doubt pointed
to some clause in the contract which let them do so.
So the upshot is, we got taken for a ride by a couple of big corporations
who were more savvy than we were. If we venture into this arena again, we
can try to decrease our risk in a couple of ways:
- Make sure the front end doesn't do authorizations until the treasurer says
they should be done. That will prevent what we saw here; a hacker running a
whole bunch of numbers past us, at $.40 a pop, to find out which ones are
bad.
- If we go with another front end provider, get a contract that doesn't
allow them to change their fee midstream. We are definitely on the low end
of the volume scale, so flat fees hurt us a lot.
But then there's still the chargebacks. They weren't what sunk us this time
(we had 3 at $25 apiece, plus of course we had to give the money back), but
they could easily be a big problem. I don't know what we could do to
minimize their impact.
|
| 98 responses total. |
aruba
|
|
response 1 of 98:
|
Feb 11 19:50 UTC 2001 |
My recommendation is that we drop our merchant account as soon as possible,
which I think we can do this month. (We're still paying $35/month until we
do that.) Until we formulate another strategy, we can at least get credit
card money via PayPal, even if it is awkward. If anyone thinks we should
try to find another front end provider right now, please speak up.
|
gull
|
|
response 2 of 98:
|
Feb 11 22:06 UTC 2001 |
I don't think credit cards are practical for Grex, if we do them
directly. Chargebacks will *always* be a problem because the position
of credit card companies is to side with the consumer, against the
business. I think we should forget the idea of directly accepting
credit cards, and look into "electronic cash" services like PayPal as
they become more common.
|
other
|
|
response 3 of 98:
|
Feb 11 22:13 UTC 2001 |
AVS is address verification service, which is used to verify that the
card number was not just a randomly generated and accidentally legit cc
number.
|
scg
|
|
response 4 of 98:
|
Feb 12 01:08 UTC 2001 |
Paypal is definitely the wrong interface. If all I want do do is send a bit
of money to Grex, it should require opening a new account, depositing money
into it, and transfering the money. It should be something that can be done
in one step by opening a card number. Given the comments other people here
have made in PayPal discussions about PayPal locking accounts without good
reasons to suspect fraud, I'm certainly not going to put any money into a
Paypal account at a point before the responsibility for the money is handed
off to the organization that's asking me to use PayPal.
The credit card processing problem Grex had can't be that unique. I'm
assuming, therefore, there must be a market for services that don't have that
problem, and therefore such services probably exist.
|
aruba
|
|
response 5 of 98:
|
Feb 12 04:25 UTC 2001 |
Where, Steve?
|
carson
|
|
response 6 of 98:
|
Feb 12 04:52 UTC 2001 |
(as gull pointed out, chargebacks will always be a problem for us,
despite scg's optimistic thinking, because it's not really a problem:
it's a feature, designed to protect the consumers that drive the market.
plus, it's a way for the card processors to make money off the people
that have it.)
|
carson
|
|
response 7 of 98:
|
Feb 12 05:01 UTC 2001 |
(I really shouldn't be so negative. there's a list of companies at
http://dir.yahoo.com/Business_and_Economy/Business_to_Business/Financial_Se
rvices/Transaction_Clearing/Credit_Card_Merchant_Services/Total_Merchant_Servic
es/
if y'all can wait until I'm back from St. Louis next week, I'd be willing
to weed through the list and identify which ones can meet our needs within
reason. I'd ask that we identify what we want from a credit card
processing service, and what we're willing to do to make it happen.)
|
mary
|
|
response 8 of 98:
|
Feb 12 14:16 UTC 2001 |
I'd rather Grex not muck with Credit Card transactions. We especially
want to stay clear of complicated contracts. We can't afford them.
(Can I be real tacky and say I told you so?)
|
aruba
|
|
response 9 of 98:
|
Feb 12 17:03 UTC 2001 |
Re #7: I think you can extrpolate from #0 what our volume is,
approximately, and what kind of fees we got screwed on last time. The
first requirement that comes to mind is that we not be vulnerable to
the same kind of attack as last time.
At the moment, I'm inclined to agree with Mary. (Though I did support
trying the experiment, since we didn't really know what it would be
like until we tried.) PayPal is, at least, very simple for us and
doesn't leave us vulnerable. (We pass the inconvenience on to the
user.)
scg is no doubt correct that other organizations have had the same
problems. But because we are very low on the volume scale, I'm not
convinced that it really is worth anyone's effort to provide a service
that does everything we want. (In other words, I think most people
doing business on the Internet eat a lot of charges, and we just can't
afford that.) PayPal may be the best we can do.
(The other issue, which I hesitate to bring up but think I should, is
one of accounting. The bills and deposits we got were pretty cryptic,
and it took a lot of work to decipher them and create the text of #0.
As I mentioned in the treasurer's report, we had one case in September
where a user filled out the membership form, and we were notified of
it, but we never got the money. No one discovered the discrepancy
until I dug through the bills. So reading the bills is not really
optional, since we need to keep our membership rolls accurate. I think
I can handle that, but in the interest of future treasurers, keep in
mind that there is an advantage to keeping the treasurer's job simple.)
But I'd like to see what Carson could come up with.
|
gull
|
|
response 10 of 98:
|
Feb 12 19:26 UTC 2001 |
Can we afford to hire a lawyer to go over the contract, next time, so we
don't get surprised again? If not, we probably shouldn't do this.
|
prp
|
|
response 11 of 98:
|
Feb 12 21:16 UTC 2001 |
About charge-backs:
Are these people who charge a membership, and then change their minds, or
fraudulent charges for which someone failed to check id? The $25 cost
makes me think they are the latter. It would seem that the former should
be handled like returns, where the merchant initiates a refund instead of
a charge.
|
ea
|
|
response 12 of 98:
|
Feb 13 01:43 UTC 2001 |
I think that Grex should find a way to accept credit cards. I'm sure
there are ways that are A) easier than PayPal, and B) minimize the risks
and costs to Grex. PayPal is ridiculously complicated, and is probably
more work to get money to Grex than writing a check. PayPal is also
slow. Add the fact that it doesn't verify identity, and it ends up
seeming like a really bad way for Grex to collect money.
Personally, I used a credit card to become a member, and also to cover
my TOP donation. It would have been much more inconvinient to write a
check, as my checkbook is not stored in the same room as the computer,
and I don't usually keep stamps or envelopes around.
|
scg
|
|
response 13 of 98:
|
Feb 13 03:49 UTC 2001 |
I've been delaying renewing my membership, hoping that it would be made easy
to do. I would still be a member if it were easy to send money to Grex.
Opening a PayPal account doesn't qualify as easy. Finding Grex's address,
my checkbook, and postage stamps at the same time doesn't count as easy.
Filling out a form on a web page that asks for a card number would be.
I haven't done much in the way of research on online credit card acceptance.
I think I saw something on PayPal's site saying how to set up a PayPal
business account to accept credit card payments directly, instead of just
accepting PayPal payments, so that might be a way to do it. Another way to
handle this would be to do credit card verification without an automatic
online interface. Standard non-website based credit card processing tends
to include a terminal that you can either swipe the card's magnetic strip
through or key in a card number, so if you wanted to handle credit cards
manually that would be a way to do it. There is also software that can act
like those terminals (I think ICVerify is what WWNet was using), where a human
can enter the card number, and the computer either processes the transaction
once, or can be set to do it at some regular interval (which would be useful
for people who wanted their memberships to be automatically renewing). Or,
if you want to continue using somebody else's online credit card processing
system, there are plenty of other companies out there doing it and some of
them may have come up with better safeguards.
Being cautious is certianly a good idea, but deciding that accepting credit
cards is impossible because of one bad experience with one unhelpful
processing company makes no sense at all. If at first you don't succeed, give
up?
|
aruba
|
|
response 14 of 98:
|
Feb 13 04:29 UTC 2001 |
I think that kind of talk is pretty cheap. And I think Grex doesn't have
the resources right now to take another hit like we did this time. (I
don't know about anyone else, but I feel guilty about having squandered 93%
of that money that people sent us. I feel obliged not to repeat the
experience.)
I could certainly process the transactions manually; I believe I could do
that right now, by calling in the numbers. The problem is in getting the
credit card number from the potential member to me without running the risk
of it being stolen.
What are the prospects for setting up our own secure server? How much does
a VeriSign certificate cost now? Do they give any discounts to nonprofits?
Is there anyone else selling certificates who might give us a break?
|
carson
|
|
response 15 of 98:
|
Feb 13 06:23 UTC 2001 |
(I agree to look into this when I return from St. Louis.)
|
scg
|
|
response 16 of 98:
|
Feb 13 06:36 UTC 2001 |
With Netscape, you can get a list of the signing authorities it has
certificates for by clicking on the lock in the lower left corner of the
window, adn then clicking on signers in the window that will open. It's a
pretty long list, and I can't figure out how to get Netscape to let me copy
and paste it here.
Internet Explorer presumably has a somewhat different list, with some overlap.
If I'm understanding www.verisign.com correctly, their keys are $349 for the
first years, and $249 per year after that, probably out of Grex's pricerange.
Presumably some of the other signing authorities have keys available more
cheaply. It may be that somebody who already has a secure server would offer
to host a page for us. I think I remember somebody making that offer last
time we had this discussion, but I forget who. Alternatively, in typical Grex
fashion, we could make our own secure key. The web browsers would complain
that they didn't know if they could trust the key, but it would work.
Of course Grex doesn't have the resources to take the hit it did last time,
but that was last time. The pricing and contract weren't reviewed carefully
enough (maybe before the fact, or maybe we caved in too easily afterward).
that means this should be done again with more caution, making sure this
problem doesn't happen again, not that it shouldn't be done again at all.
|
charcat
|
|
response 17 of 98:
|
Feb 13 09:44 UTC 2001 |
the reason some small mom and pop stores don't take plastic is they find that
all the profits are eaten up by the charge card's charges for using the
service. 10 percent of what is donated is like donating nothing, more hassel
than it's worth. (I hate it when someone donates money for a good cause and
it dosn't get there)
well, that's my 2cents worth >^.^<
|
aruba
|
|
response 18 of 98:
|
Feb 13 15:48 UTC 2001 |
Re #16: Thanks Steve, for the Netscape info. I don't recognize any of those
certificate signers other than Verisign, but digging around would certainly
be in order. And maybe just making our own certificate is the smartest
thing to do.
Now, do we have the technical expertise to set up our own secure server? If
so, how long would it take?
Frankly, Steve, I think you're asking us to go to a lot of trouble to
accomodate your laziness. :)
Re #17: I agree completely.
|
keesan
|
|
response 19 of 98:
|
Feb 13 19:48 UTC 2001 |
We have registered software by emailing a credit card number and other
relevant information (name, mailing address, expiration date) to the author.
No online forms needed, no ssl or javascript needed. Is this what people have
already suggested? What total percentage does an individual who accepts
credit cards this way pay the credit card company? You still run the risk
of an occasional bad credit card, but not of multiple hits from one vandal.
Also, would it be fair to charge members paying by credit card an extra 10%
to cover the cost of making things easier for them? (And is it really worth
$6 extra to pay for a year by credit card rather than by check?) I doubt that
many vandals would go to the trouble of submitting a bad credit card number
since they really have nothing to gain other than the satisfaction of being
a nuisance. You can also make sure the From email address is valid before
accepting a card number, and notify the ISP if there is fraud. (I just
notified AOL about some spam from a TOMDRIVEN). I doubt that grex would have
so much credit card volume that the treasurer could not keep up with manual
processing.
|
flem
|
|
response 20 of 98:
|
Feb 13 19:52 UTC 2001 |
A couple of things. First, I am of the opinion that we should drop
CardService. If (when?) we go after credit cards again, I think more
research is called for than we had this time, and I don't see us
coming to a reasonable solution involving CardService within the next
few months; that is, soon enough for keeping the CardService account
to save us money. Also, Mark, you may want to call CardService up and
find out exactly what the timeline is for closing the account. I
don't remember dates exactly, but my feeling is that we'd best hurry
or we'll find ourselves in for another six months whether we like it
or not.
Second, folks who dislike PayPal because it's too complicated should
check out the updated membership page,
http://www.cyberspace.org/member.html
I hacked this together with srw's help about a month ago, using
Paypal's web accept feature. It should be much simpler than the
process I outlined earlier. It will still leave you with a Paypal
account, but with no hassle I'm aware of.
I think that, in spite of the logistical difficulties of PayPal, we
should seriously consider sticking with it, at least for a while.
It's cheap, it protects us from chargebacks in most cases, and it's
low-maintenance for the treasurer. The most serious drawback to
PayPal, as far as I'm concerned, is that it doesn't support
international transactions very well.
|
flem
|
|
response 21 of 98:
|
Feb 13 19:56 UTC 2001 |
resp:19 slipped in.
Emailing credit card numbers is a Bad Idea.
Our contract with CardService (or maybe Charge Solutions, I don't remember)
prohibited us from charging more for people who pay with credit cards. I get
the impression that this is pretty much universally the case; Visa may require
it, or it may be required by law, or something like that. I'd be disinclined
towards it anyway, though.
|
gull
|
|
response 22 of 98:
|
Feb 13 20:40 UTC 2001 |
Re #19: Emailing credit card numbers without encryption is a bad idea
and I'd never do it. There's just too many opportunities for someone
unsavory to get the number along the way.
|
scg
|
|
response 23 of 98:
|
Feb 13 21:24 UTC 2001 |
If it were just my lazyness, it wouldn't be a big deal. I'm assuming,
however, that my lazyness is probably somewhat typical.
|
scg
|
|
response 24 of 98:
|
Feb 13 21:25 UTC 2001 |
I don't think I've checked out the member.html page lately. I'll take a look
at it.
|