Thursday, 29 January 2015

Card processing costs could double in 2015 for UK debt industry

For many years the European Commission has been signalling its desire to regulate ‘interchange’ – the fee paid between banks for processing card payments – which is typically passed on wrapped-up in the fees paid by the merchant who takes the payment. 

In 2013 the EU decided to cap interchange costs at 0.3% for credit cards and 0.2% for debit cards and this is now being implemented for all domestic card processing during 2015. Although this cap applies only to the rates paid between the banks, with merchants always paying an additional margin or fees on top, clearly the EU is hoping some of the reduction will be passed on to merchants. Estimates suggest this could total a £1 billion annual saving for UK merchants and as much as €10 billion across the entire EU.

This should be good news shouldn’t it? Not so fast - there are some clear winners and losers. 

Whilst credit card processing fees are expected to fall, the position with debit cards is more complicated. Debit card processing is typically a pence per transaction fee, so in response to the % cap it’s anticipated most if not all UK acquirers will switch to a predominantly %-based fee. This might be good news if you take lots of smaller payments, but not so much if you take larger payments. Roughly speaking merchants taking payments for less than £35 will pay lower fees, but transactions above £35 will pay more.

And that’s not all.

Payments taken over the telephone (classed as ‘customer not present’ or CNP) will be deemed non-secure, even when the AVS/CVV2 numbers are captured, and will be subject to an additional charge.

So, what does this mean for the UK debt industry? The debt industry’s card processing is predominantly conducted over the telephone (90%), mostly debit card (95%) and an average transaction value typically between £50-100. On that basis, it is quite possible that most UK creditors and debt collection agencies card processing costs could double.

The one small positive is when these changes are implemented merchants are likely to have the opportunity to switch providers, even if they are within an existing contract period. So my advice for merchants is to use this opportunity to shop around for the best deal and see whether some of this increase, which you can’t avoid, can at least be reduced by switching to a cheaper provider.

By Sajid Hussain, Business Development Manager, TDX Group

Friday, 23 January 2015

Should debt collection agencies certify to a security standard?

At TDX Group, we’ve chosen to certify to ISO27001 – the international standard for information security management – so clearly we believe this is a critical investment that reflects our commitment to data security. However, for smaller businesses, such as debt collection agencies, do the benefits justify the cost and operational overhead? Or, are there other options?

I guess the place I start is ‘why certify’ at all?

Data security is an ever higher priority for businesses as continual international debate on privacy and the endless list of data breaches makes customer trust increasingly difficult to maintain. So, being able to show consumers and customers that you’re subject to regular independent audits on security can earn or retain customer loyalty, set your organisation above competitors, and build trust in your brand. In short, certifying is no longer an optional extra, it’s a ‘must’ and a regular independent audit is a key part of making sure that data is being handled securely.

So assuming you do go ahead and certify, in addition to the few mandatory standards (such as PCI DSS), there are a few important considerations to weigh up when choosing your standard:

1. Global recognition
Very few of the over 1,000 existing standards are recognised (let alone valued) in the world’s biggest markets. Be wary of local or unproven standards which have a much lower impact in other markets, and always aim to utilise third parties who are accredited by a national body (such as UKAS in the UK).

2. Cost
Be sure to compare the cost of certification to the benefits that you can reasonably expect it to bring – such as reducing client audit overheads or attracting new business, as well as mitigating the risk of a data breach. Don’t forget to consider any impact on your existing processes, which may have to change to conform to your chosen standard.

3. Longevity
The rate of change in IT security is often faster than standards can be reviewed and updated. When you’re choosing a standard, you should make sure that it’s flexible in order to allow you to respond to market demands or emerging threats.

4. Scalability
All being well, your organisation will grow over time – choosing a security standard which is designed for small businesses is likely to reduce the initial workload, but may mean that your hard work in gaining certification is abandoned when you lose the ‘SME’ label.

To ISO or not to ISO?

Certifying to a security standard can be an expensive process, particularly with up-front costs such as audits and potentially consultancy support. However, once it’s in place, and with the correct marketing effort, holding a recognised and trusted certification can put your business ahead of its competitors. If adopting ISO27001 immediately is too onerous, using a lighter standard such as the UK Government’s Cyber Security Essentials is a method of reducing the short-term challenge and preparing an organisation for more in-depth and rigorous standards over time.

At TDX Group, our view is that ISO27001 as a trusted barometer for security management, and we strongly

encourage debt collection agencies to certify to this standard using a UKAS-accredited certifying body.

By David Rimmer, Head of Information Security