CASE STUDY: Why did this company’s cost of processing suddenly shoot up?
 

The client was a multinational Fortune 500 company providing retail services. They came to CSRSI because, over the preceding 18 months, the average cost of merchant services rose from a blended rate of 1.87% to a blended rate of 2.46% representing an annual cost increase of more than $3 million. The client became aware of this issue through an internal analysis as its current merchant payment services contract came up for review.

CSRSI reviewed the merchant service statements for the preceding 30 months for each of the over 350 Merchant Identification Numbers (MIDs) that were present in this payment environment. Analysis revealed that a single business unit accounted for nearly the entire increase of fees. That unit was targeted for a further detailed review.

CSRSI examined multiple parameters including chargeback rates, bucket distribution of cards accepted, types of cards accepted, distribution of card brands, credit ratios, electronic payment front end and back end routing and pathways, fee types and ratios among other factors. The pattern of unusual activity emerging from this broad investigation indicated a strong possibility of fraud.

At this point the review shifted to an audit of each division within the business unit including customer service, treasury and finance. Separation of duty issues was also considered as were point of purchase protocols. The determination was made that a senior manager in the business unit was defrauding the company by manipulating the flow of credit card payments to separate accounts, issuing inappropriate or unmatched credits, accepting clearly fraudulent cards from a single point source and similar activities. It was demonstrated that the perpetrator was likely responsible for over 10 million dollars in losses, combining lost product and increased cost of merchant services.

The perpetrator was discharged and remanded to the criminal justice system with the hope of recouping some part of the loss through restitution. Once the root cause was identified and eliminated because of CSRSI’s analysis, the merchant’s processing costs returned to normal levels.

In addition, CSRSI was retained to analyze and review merchant service activity on a monthly basis using our proprietary CCAS (Credit  Card Analysis System). The review included analysis of charges, ratios of chargebacks, credit to debits, distribution of card acceptance and other fraud and cost detection proprietary findings.  Subsequent to the initial analysis, over the following twelve months three more incidents of fraud on a location level were detected—and  appropriately managed without further loss to the company.

 

CASE STUDY: Same company, same processor, but different interchange treatment from store to store
 

A retail chain with 125 stores came to CSRSI after an internal audit found that several stores within the chain were paying more for their acceptance of credit cards than the average store, even though all stores were covered under a single merchant agreement. Review of merchant service statements and communication with the processor did not resolve the discrepancy.

CSRSI reviewed all policies and procedures related to the client’s merchant services. We found that although corporate policies were in place, they were not known or followed in the field. Further there were multiple discrepancies in how merchant services were handled on a store-to-store basis. Although Interchange-qualified rates were the same throughout the enterprise, the charges for types and percentages of downgrades varied on a store-by-store basis. On a month-over-month basis many stores had greater than the acceptable normative variations in the card acceptance patterns and the variations proved to be related to the varying demographics for each store.

Further examination revealed significant, and at times stark, differences in the versions of payment processing software and hardware at the various locations. CSRSI realized this was due to acquisition of various stores at different times from previous operators. This led to multiple inabilities to uniformly manage merchant service charges and transmit payment data to the processor. It was noted that the processor did not discuss this issue with our client, even though it was one of the causative issues of increasing downgrades.

Our analysis concluded that over 3 million dollars in inappropriate or excessive charges had been levied over the previous 24 months. Given the multiple issues involved and the argument from the processor that some responsibility fell on the client, a settlement was reached in which the processor returned to the client 50% of documented overages—a recovery in excess of $1.5 million.

After this experience, CSRSI was retained by the client to analyze merchant service performance and charges on an ongoing basis, both corporate-wide and store-by-store.

 

CASE STUDY: Preventable Theft of Personally Identifiable Information

The Benefits of a PII Flow Diagram and Controls

 

Often an organization does not know or realize all of the places that data lives during its lifecycle and the vulnerabilities and compliance violations that this may cause.

Each CSRSI engagement for evaluation of Personally Identifiable Information (PII) is based upon obtaining the knowledge of the lifecycle of the critical data elements. Lifecycle represents each data point from the time of acquisition to retention to destruction.

This process is best accomplished by building a detailed flow diagram of the data elements as they flow through an organization.

Situation

In a recent CSRSI engagement, a casino company obtained PII data when clients of the company registered for “player cards”. This included the obtaining of data points, specifically driver license numbers and dates of birth, when daily buses arrived with guests. It was the practice of the client to obtain these data points electronically and physically for the purposes of formatting the player cards.

Findings

A careful evaluation of the flow of one specific data point, the driver license number, revealed that it had become the practice at the reception area where the buses arrived to manually write down the driver license numbers on a separate guest log sheet as a means of identifying guests as they entered the facility.

What was not understood by management was that these written logs with driver license numbers were then not destroyed but had accumulated on a corner desk for at least the previous year. In fact, there were over 10,000 guest names with associated driver license numbers in the open and unprotected without any form of tracking on the desktop. This represented a great compliance risk to the client and a high value fraud target to anyone wishing to engage in identity theft. Although the practice was identified by the flow diagram process and immediately stopped, there is no practical way to know if the driver license numbers and associated names were stolen by any others.

Outcome

The information was stolen and identity theft occurred based on this information. There were no controls of any sort. In fact the casino did not know where the information was, or who really had access, etc.

The litigation is ongoing and the consequences are significant.

IMPORTANT TAKEAWAY: Driver’s License and DOB are protected under PII. There must be specific controls of this information.

Why Companies Choose CSRSI to Diagram the Flow of PII

CSRSI brings to the table the experience to know where to look, what is acceptable, the shades of grey, what to fix and how.

To learn more about how CSRSI documents the flow of Personally Identifiable Information, call or email Ross Federgreen (866-462-7774 x1) or Jan Carroza (866-462-7774 x4).

 

CASE STUDY: Merchant Statement Monitoring Caught Internal and External Fraud

Situation

A hotel operator with 12 different POS locations within one property engaged CSRSI to monitor their merchant services on a quarterly basis. Each Merchant Identification Number (MID) was monitored for numerous findings and specific ratios including chargebacks, credits, percentages of card distribution etc. After two cycles (six months) there were clear aberrations such as unmatched credits in two of the locations when compared to our proprietary database (called CCAS) as well as in their other operating units.

Findings

An investigation identified that the dates of these two specific locations when the aberrational events were occurring perfectly matched up to a single employee who was being moved between these two locations. Deeper investigation to the time on the dates and comparison to this employee’s time card showed that the match was 70%.

Looking at the other employees who would account for the time of access, it was noted that three employees matched these times and locations with a 90% confidence level.

Outcome

Local authorities investigated these three individuals and it turned out that one of the individuals was the girl friend of the primary suspect. She turned state’s evidence and the culprit was arrested and convicted. The other employee was terminated. Loss to the property was at least $19,000 over one year.

IMPORTANT TAKEAWAY: The sensitivity and accuracy of monitoring is very high. No one at the property would have been able to identify this for a long time or at all if not for the analysis. The property executive team and their outside auditors readily stated that they would not have been able to do this or understand the statements to extract and identify this critical information.

Learn more about how CSRSI monitors merchant processing statements to identify fraud and errors by calling or emailing Ross Federgreen/East Coast (866-462-7774 x1) or Jan Carroza/West Coast (866-462-7774 x4).

 

CASE STUDY: Renegotiation of Merchant Services Contract Found Overcharges, Unnecessary Downgrades, Liability and Loss of Float

 

CSRSI provides Request for Proposal (RFP) and BID/SPECIFICATION services for complex merchant service processing contracts and other forms of electronic payment acceptance. The value-add of these services is a detailed understanding of pricing and nuance within contract negotiation and performance of electronic payment vendors.

Situation

A major public company who processes over $5 billion per year in credit card charges engaged CSRSI to evaluate the performance of their own team who had spent over 18 months performing an RFP for merchant services. This was done at the insistence of the Board of Directors because a number of the BOD members had experience with CSRSI from their own companies.

Findings

CSRSI reviewed the results of the internal RFP process and found that the processing relationship against market conditions was not maximized for the benefit of the client. Further we identified multiple areas where the condition set of the contract favored the processor, including such items as reserve accounts, security interests as well as terms and conditions of termination.

Outcome

CSRSI went back to the chosen provider and renegotiated the contract on behalf of the client. This resulted in significantly more favorable terms including a net cost reduction of over $5 million across the three-year term of the contract.

More Findings

Subsequent to this the client engaged CSRSI to manage the entire process for another division of the enterprise. This resulted in over $1 million being paid to the client by the chosen processor at the time of closing with more favorable terms than those which were achieved with the renegotiation process. That processor is on notice after these results and fully understands that their relationship with the client has become threatened. We have opened a new round of renegotiations with the first processor and favorable results are fully expected.

IMPORTANT TAKEAWAY: Many clients do not realize that all contract elements are fully negotiable and even if they realize this they do not know what the market will bear and all the fine points of the negotiation process.

How does CSRSI negotiate merchant processing to improve value? To find out, call or email Ross Federgreen/East Coast (866-462-7774 x1) or Jan Carroza/West Coast (866-462-7774 x4).

 

CASE STUDY: Non-Compliance with PCI Standard Allows Data Breach & Increased Costs

 

Situation

A hospitality facility had multiple information systems and registration systems on their property. The property had not gone through the process to become compliant with the Payment Card Industry-Data Security Standard (PCI-DSS) as required. A trusted employee in tandem with an outside “black hat” organization breached the system.

This occurred because the trusted employee was able to extract passwords from fellow workers by asking the other employees for their passwords. Additionally, all information was unencrypted.

Findings

The property’s defense was that the reservation and information systems were PCI compliant. However, investigation found that both systems were outdated and the versions that they were using were not PCI compliant. Further, the property had to be compliant regardless of the systems used. In fact, if the property had gone through the process to be PCI compliant, they would have readily realized the state of the situation including the fact that the versions of the software were not compliant.

Outcome

The results were significant fines, ongoing litigation and increased merchant service costs because of PCI violations.

IMPORTANT TAKEAWAY: PCI-DSS failure can cause significant increases in merchant service costs, and increase susceptibility to internal and external fraud, data breaches and fines. All merchant service contracts today require merchants to be compliant with the Payment Card Industry-Data Security Standard.

If you’d like to learn more about how CSRSI helps clients tackle PCI-DSS compliance, please call or email Ross Federgreen/East Coast (866-462-7774 x1) or Jan Carroza/West Coast (866-462-7774 x4).

 

CASE STUDY: Employee Caught Selling Personally Identifiable Data

Preventable with PII Flow Diagram, Procedures and Controls

 

Situation

A national client engaged CSRSI to do a flow examination of Personally Identifiable Information (PII).  The client collected significant information for the purposes of marketing land development projects from potential customers.  Each time a customer was entered into the system following the customer’s response to a free three-day vacation in exchange for listening to a sales pitch, the following data points were obtained: Date of Birth (DOB), Driver’s License, bank information and, at times, social security numbers, DOB of spouse and children as well as credit card numbers for “incidental” expenditures. This information was put into both electronic and physical files. These files were neither protected physically or electronically.

Findings

CSRSI was called in after an employee was found selling PII to a third party. Our investigation and flow demonstrated that no less than 87 employees at 12 separate locations had full access, which was undocumented, to this information. In addition, the rooms where this information was kept were unsecured, so there were numerous others that had access and might have availed themselves of this information.

IMPORTANT TAKEAWAY: Companies need to document the lifecycle of these PII protected data elements, including where they hold Personally Identifiable Information, to destroy what they don’t need, and to secure what they keep with procedures to document access.

If you’d like to learn more about how CSRSI documents the flow of Personally Identifiable Information, call or email Ross Federgreen/East Coast (866-462-7774 x1) or Jan Carroza/West Coast (866-462-7774 x4).

 

CASE STUDY: Monitoring Merchant Statements Uncovers Fraud, Overcharges and Drives New Strategies

 

Ongoing monitoring of payment relationships is central to the ongoing relationship that we have with our clients. Monitoring is accomplished to identify and prevent fraud and theft, to grade inter and intra business unit payment acceptance performance of an enterprise and to evaluate ongoing contract compliance on the part of the payment service vendor.

Situation

Business Unit Comparison

A client with 300 business locations divided into seven regional operating units engaged CSRSI to monitor the electronic payment performance of each of the units, regions and the corporate entity as a whole.

Areas of focus included rates of chargebacks, distribution of card types accepted, percentages of downgrades, payment bucket assignment as well as number of dollars and transactions processed. Each of the business units under each of the operating regions was analyzed and compared.

Findings

Numerous important findings were observed. These included specific locations with evidence of probable fraud, variations in processing cost for same transaction types despite being on a master contract, and distribution of card type utilization. These observations extended to the regions as well.

Outcome

This new knowledge has helped the client in terms of strategic decisions and fraud prevention as well as contract discussion which included financial reimbursement for overcharges.

IMPORTANT TAKEAWAY: Monitoring merchant statements can provide insight into illegal activities like fraud and expose liabilities, inconsistencies, overcharges, downgrades and errors to be remedied.

How does CSRSI monitor merchant processing statements to identify fraud and errors? To learn more, call or email Ross Federgreen/East Coast (866-462-7774 x1) or Jan Carroza/West Coast (866-462-7774 x4).