Assuming they haven't updated it since I was there, its an auth token that expires after a specific amount of time (I want to say 2 weeks but its been a long time)
When you swipe your credit card it tends to end up batch processed not in real time but yeah that does eventually go through a mainframe. Other than that I agree gooby. :)
I think that you have bigger problems if anyone anywhere has commit privileges to your repository. You must trust your commitors. Am I missing something?
I think he means rack mount home servers, those are pretty nuts because of the noise that most rack mount cases make. Figure in a 1U case you normally have at least 4 15K RPM fans going at all times, even if you put it into "quiet" mode its enough to hear from the next room normally.
Do you advocate setting up something like google authenticator (RFC6238 I think?)if you run your own email server or does it make more sense to use client side SSL certificates for that?
So as far as security for email goes you prefer people to outsource to Google Apps or similar rather than likely screwing up and having an insecure configuration?
Just curious what you consider best practices to be in that case.
No merchant account provider will open a new account without the personal social security numbers of the principals. Otherwise you could defraud one bank then the next your whole life by simply forming a new LLC/corp each time for $100 a pop.
When a merchant is terminated for fraud, breach of contract or excessive chargebacks, they can be placed on the TMF (Terminated Merchant File) and MATCH (Member Alert to High-Risk Merchants) lists which all Visa/MC member banks have access to. The social security numbers of all the principals are added to that list, so that if they apply with a new business somewhere else, the bank knows they've previously been a principal of a business some other bank terminated, and the reason.
Because merchant banks require them. Anyone can create any number of C corporations at any time. Merchant accounts are one of several business services that young companies can't set typically set up without somehow binding the contract to the business owners themselves.
Merchant accounts are one of several business services that young companies can't set typically set up without somehow binding the contract to the business owners themselves.
I've noticed a disturbing trend in this respect recently, with seemingly everyone from law firms to banks wanting personal guarantees from someone to back up the company. This practice should, IMHO, be prohibited by law, and this should be impossible to override via any contract.
The entire point of a limited company (in UK terms) structure is that you know you are running a legally separate entity, and everyone else knows they are dealing with a legally separate entity. Everyone should judge the risks they are willing to take and offer terms that factor in those risks accordingly. This is done to incentivise people to start new businesses where there may be some degree of risk, without having to risk literally the roof over their heads to do it, and is universally acknowledged to be in the interests of economic development, which is why every major economy in the world has a concept analogous to that limited company.
Checking the credibility of the principals and asking for things like business plans and company financial statements is all perfectly reasonable so that a potential business partner can judge the level of risk. However, allowing piercing agreements is simply a completely one-sided deal: the little guy is now back on the hook for all of the risk, yet still takes the hit on all the bureaucracy associated with running a formal company.
If such agreements were banned, the banks and lawyers and other high-powered services would still have to deal with other businesses or they'd have on customers. They'd just have to be more realistic about what they charged if they wanted to continue working with profitable customers in the long run.
[Edit: Incidentally, piercing agreements do not seem to be completely universal. We've seen some fairly unpleasantly one-sided terms while investigating payment services, frequently including things like requiring direct control of your main bank account so they can grab whatever they feel like whenever they feel like it, but not everyone has asked for personal guarantees (as opposed to a personal credit check) at least at the stage we've got to with them.]
Banks already do ask for financials and corporate track record. You're required to stake your own credit when your financials are inadequate. You want that to be illegal? It's better than those companies not be able to obtain merchant accounts?
Banks already do ask for financials and corporate track record. You're required to stake your own credit when your financials are inadequate.
As far as I can see, those providers who require personal guarantees usually do so as a standard condition for almost any new business. Effectively, they consider everyone's financials to be inadequate.
You want that to be illegal? It's better than those companies not be able to obtain merchant accounts?
Someone would still offer the merchant account services to businesses who could demonstrate a reasonable business plan, because on balance they would make money from doing so. Most new businesses are not, in fact, going to experience a 30% chargeback rate four months after the original sale.
The banks obviously know that, they just want (as usual) to privatise the profits but externalise the risks/losses. I have no problem with prohibiting that kind of predatory behaviour. It's a potentially significant barrier to starting a new business, and with the global economy in its current state, allowing absurdly risk-averse banks to inhibit new businesses is exactly what we shouldn't be doing.
If the banking industry had a track record of assessing its clients responsibly and lending (or not lending) based on the results of those assessments and reasonable assumptions, I would be happy to cut them some slack. But we all know damn well that they aren't doing that. And if governments are going to pressure them just to lend to small businesses, they should certainly pressure them to provide basic services to businesses that are viable without relying on loans as well.
If someone could make money by offering merchant services to businesses with no credit history, they'd already be doing it. No law requires banks to require personal credit checks for merchant accounts.
If it's possible to build a viable business offering merchant account services backed by absolutely nothing other than the creditworthiness of a brand-new corporation, why is nobody doing that already?
Because they don't have to. The negotiating positions are entirely one-sided, and since they command all the power, they can essentially impose arbitrarily harsh terms to any extent the law permits.
I'm not sure you're following what I'm saying. That's probably my fault, for being terse. Even if the negotiating positions are "entirely one-sided" right now, that position leaves the door open for a competitor to capture market share by offering accounts without personal credit attachments. And yet nobody does that. That suggests one of two things: either (i) you can't capture much market share by offering easy terms for a merchant account (unlikely, to my mind) or (ii) you can't stay in business offering those terms.
Even if the negotiating positions are "entirely one-sided" right now, that position leaves the door open for a competitor to capture market share by offering accounts without personal credit attachments. And yet nobody does that.
Are you sure about that?
That suggests one of two things:
No, there are other possibilities. One is that the merchants assume that you're right and everyone is going to screw them the same way. Another is that they simply don't understand the profound legal implications of a couple of lines of small print and one more signature because, like most start-ups, they're trying to build a company and not paying lawyers thousands to review dozens of pages of terms sent by every financial service provider they've contacted.
And if the personal guarantees are going to go away once the business is a going concern, there's no problem with writing a shut-off date into the contract to make this explicit from the beginning, is there?
You can anonymously acquire a Nevada shelf corporation in a week or two. If you were able to just setup a merchant account without a personal guarantee, you could then trivially rack up a significant volume of fraudulent charges without any recourse. (The bank would literally not know who you are)
If you are a real business, you will almost certainly change credit card processors anyway to get better payment terms as your volume increases. The last startup I worked for changed at least three times as our volume grew.
I think we're talking at cross-purposes here. I don't think any of us are suggesting that merchant accounts should be made available without any checks at all.
It's reasonable to ascertain the identities of those running the company. While I'm no expert on US law, certainly here in the UK company directors have some basic responsibilities for acting responsibly and so forth and could be on the hook if they've been severely negligent, so you have that the moment you're dealing with the company itself.
But the point of a piercing agreement seems to be to put the company's controlling people on the hook personally even if they aren't grossly negligent and the business just doesn't work out. The fundamental point of setting up an independent legal entity is to sever that connection, and I personally believe that everyone should treat negotiations accordingly.
Insisting on personal liability for a corporate account is equivalent to denying the account to the corporation.
Bankers would prefer to have you sign away your first born children too (sounds like something out of Dickens). But we've made such practices illegal and there's no evidence that the money supply is suffering for it.
Help me understand. What you're suggesting is that, simply by having paid a couple hundred bucks to incorporate, regardless of my personal credit, I should be able to establish a merchant account?
Asking to see some personal references and a personal background check is one thing. But requring a 'natural person' to become personally liable for a corporate contract is basically equivalent to denying the corporation.
So maybe the bank is willing to issue the merchant account to the individual with the understanding that it may be used by a corporation. But let's not call it something it isn't.
You said it earlier: requiring a personal guarantee is indeed the equivalent of denying the account to the corporation. I'm not sure what else there is to talk about, unless you think contracts for merchant accounts should be compulsory.
I'm not sure what else there is to talk about, unless you think contracts for merchant accounts should be compulsory.
Completely automatic is obviously silly because of the fraud risk, but a presumption in favour and/or formal restrictions on acceptable criteria for refusal aren't nearly as absurd as you're implying.
We're talking about a very closed industry and a service that, in practice, directly affects people's ability to trade.
We regulate service providers in other essential industries, and they can't deny provision to a customer just because they don't like them. It's part of the deal if you want to operate in those markets.
And there are all kinds of laws to prevent or restrict one-sided deals that inhibit people's ability to trade. There are laws about monopolies and anti-competitive behaviour. The handling of non-compete agreements in employment law would be another obvious example in a slightly different context.
The "service providers" in those other "essential industries" that can't "deny provision" because they "don't like them" have, as a general rule, been granted monopolies. This is a silly conversation. The system that works the way you seem to want it to is the subject the thread; it's Paypal.
No, PayPal is almost the opposite extreme: they do very little in the way of checking up-front, and that's why there can be problems later when their aggressive fraud checks kick in.
I'm not looking for anything so dramatic, just that merchant account providers should recognise that they are dealing with a separate legal entity. Identifying the key personnel is reasonable, and so is wanting to check them against databases of known fraudsters etc. Asking to see financial statements, business plans, projections, etc. is all reasonable too. So is requiring a cautious degree of funds retention until the trading patterns become clear is reasonable. I really don't have a problem with a merchant account provider wanting to know who they're dealing with and to have some confidence that the company is a viable business; that's only fair.
I'm simply arguing that putting members of the company on the hook personally is not fair. If you're going to have companies at all then you have to protect them against such arrangements by law or you've devalued the entire concept and undone whatever benefits you were hoping to achieve in terms of incentivising entrepreneurial behaviour in your economy.
For the record, I'd add demanding direct control of the company bank account as a red flag as well. Aside from the glaring potential for abuse or error by the merchant account provider (for which, by the way, the company directors will once again take the heat), this has obvious implications if the company ever fails: it allows the payment company to grab whatever it decides it's due before the usual legal mechanisms for dealing with corporate bankcrupty get a look in, for example. And what if there's more than one payment service involved? Do they get to race to see who can empty a company's bank account first if anything does go severely wrong?
IIRC the US has a concept of bankruptcy protection to isolate a company that's in trouble if they have a reasonable plan to extricate themselves rather than failing. Not running a business in the US, I don't know all the details, but it seems a reasonable premise. But what happens if that company has signed over direct access to its bank account to a merchant account provider, who is risk averse and doesn't like the chapter 11 filing?
The bottom line is that these are all worst-case, doomsday scenarios, and even if a company is going to fail, it's usually not going to fail out of the blue and to that extent. I think you're obsessing over a fraud risk at the expense of making it much harder for people to run honest companies. If the system is set up in such a paranoid way, it's hardly going to be surprising if legitimate entrepreneurs are put off starting up, obviously leaving a disprortionate number of fraudulent applicants.
No, we're suggesting that if you're going to offer a merchant account to a company, your decision and terms should be based on the nature of that company.
You might reasonably do a credit check on the principals, since someone running a company who has a track record of bad debts is obviously a warning sign. Likewise you can check them against the databases of people who've been kicked off payment services before.
But in the end, you should be looking at whether a company has a credible business plan and people who are likely to execute it well. That's apparently good enough for other major financial transactions, including attracting investors and things like company credit cards for principals on the day you open a bank account. How come everyone else in the world can use common sense and make an informed judgement about risk, but merchant account providers can't?
Ok, and now the answer to that question is, "No, actuarially, we cannot offer you a merchant account backed only by your corporation." Like I said before. Your response is... what? No merchant account for you?
A. The bank offers a merchant account to a party they feel is worthy with the understanding that this party is going to use the account for the corporation.
B. The bank re-evaluates their criteria for merchant accounts and/or develops new products with which to serve the demand for merchant accounts.
But the status quo seems to me like a situation in which an entrepreneur can't start an honest corporation without putting his kids' college savings at risk of highly unpredictable fraud loss. Unless this person is connected to the right people in finance and banking, of course.
Why shouldn't my local tree-trimmer be able to accept credit cards? Like Greece, imagine the uncaptured tax that results from this sector of the economy dealing instead in mostly cash. I don't think this the current system is optimal or fair.
But the status quo seems to me like a situation in which an entrepreneur can't start an honest corporation without putting his kids' college savings at risk of highly unpredictable fraud loss.
And to add insult to injury, that kind of risk is entirely the fault of the payment industry itself, for failing to implement sufficiently robust security measures. And yet, the merchant typically carries the risk, not the payment industry.
Perhaps any compulsory refunds should be classified as either based on fraud or based on dissatisfaction, and the card payment services should be required to indemnify the merchant against fraudulent ones provided that the merchant has followed the recommended security steps before completing the transaction.
In fact, I've noticed recently that a few payment services are offering to eat chargebacks based on claims of fraud if an on-line transaction included a test such as Verified by Visa, so this situation may be starting to change, albeit rather slowly.
For losses based on dissatisfaction, it's probably as fair as anything practical to make the merchant carry the risk, but it is extremely unlikely that this kind of chargeback would result in a sudden spike in refunds a long time after the initial payments. It seems reasonable to handle this case via a level of retained funds commensurate with the observed level of loss.
That really only leaves catastrophe-scale events, such as a product having a fundamental flaw where everything dies at midnight on 1 January 2000. But in that case, either the business has the funds to cover the loss (in which case there's no problem and the card services can go to court if the merchant doesn't pay back what they owe) or the business is toast (in which case unless it's a very small business, probably no individual who gave a personal guarantee could do much to cover the costs anyway, and if it was a very small business, there's no substantial danger to the card service companies on the relatively rare occasions that they have to write the client off and eat the loss themselves).
In short, to the individual a piercing agreement may be an existential threat to their way of life, but such agreements make little real difference to the card companies in cases where the problem is not essentially their fault anyway.
Merchant account providers are not in the insurance business. If you're starting a business and worried that your own product failures are going to bankrupt you, pay for insurance.
It seems to me at this point that we've lost track of what a merchant account provider even does, and that your argument in some way depends on the fact that it's easier for large companies to bear losses than small ones, and so they should bear those losses regardless of who causes them. Why not just say Apple and Walmart should insure all new startups against personal losses at the same time? It's the same argument.
Merchant account providers are not in the insurance business.
Really? I think there's a good argument that insurance is exactly the business they are in.
The fundamental difficulty here is that money you think you have as a merchant can be taken away again retrospectively, and the merchant account provider is on the hook for it if the merchant disappears. The merchant account provider accepts that risk, but takes steps such as retaining partial funds that will normally be sufficient to mitigate it. Every now and then they'll take a big hit when there's a spectacular failure and whatever guarantees the merchant account provider thought they had turn out not to be worth enough to cover the loss. Most of the time, however, things will go fine and the merchant account provider will make a tidy margin.
How is this not an insurance model?
If you're starting a business and worried that your own product failures are going to bankrupt you, pay for insurance.
I'm not worried about my product failures, I'm worried about fraud due to a combination of their insufficient security and their rather generous waiting periods for customer complaints, or simply due to a mistake on their part.
Merchant account providers are not in the insurance business.
And why not? They could at least be obligated to obtain such insurance. Seriously, what else are they doing with that 3% of all those transactions?
Primarily because we accept the status quo because the merchant is in such a weak bargaining position. Let us not forget that merchants and consumers form the basis of our economy whereas payment and banking systems are just plumbing.
If the financial industry had more incentive to increase the security of payment systems, then maybe we wouldn't have the absurdly insecure systems that we have now. Inter-bank ACH is fundamentally an honor system. Credit/debit networks are basically a shared secret between you and everyone you've ever spent money with.
I'm not saying merchants should be immune from all chargebacks. I'm just saying that the lack of competition in payment systems is effectively disallowing the benefits of an LLC to the little guy.
But the cost of fraud is already bourne by the economy. It gets bourne by the taxpayers, the consumers, and the merchants. And yes it is stratospheric, but so is the revenue of the current payment industry.
What I'm suggesting is:
A. It makes the little sense for the personal savings of an entrepreneur to be the underwriter of last resort.
B. If the financial industry wasn't so easily able to push the risk off on others, we might find that they become interested in real security improvements that result in an overall decrease of fraud.
The fraud/abuse we're talking about in this case is perpetrated by the merchants themselves. Want to see what a system of "real security improvements" looks like for a payment processor that doesn't require your personal credit staked to your account?
The fraud/abuse we're talking about in this case is perpetrated by the merchants themselves.
But the merchant account issuer doesn't distinguish fraudulent merchants from losses due to stolen cards, fraudulent customer chargebacks, etc. So currently in the US, essentially all fraud costs tend to be passed on to the merchant (and for small entrepreneurs, their kids' college savings).
It's called Paypal.
Note that most of the criticisms people level against Paypal aren't against their policies and mechanisms that are a rational defense against risk. It's things like the destroyed antique violin, banning merchant accounts for "editorial" reasons, outright hostile customer relations, and (last but not least) a penchant for holding on to other people's money for as long as possible for completely unjustified reasons.
Hopefully we can agree that the root cause here is the prevalence of fraud itself. A more secure transaction system could make things nicer for everyone. The problem is that the payment networks are the only ones who can institute meaningful change and the current system (that enables them to pass the costs on to merchants) suits them just fine.
What does it help that the corporation is going to use the account only for the corporation? How does that cover the bank when the corporation fails to deliver on its promises to customers and then goes bankrupt, leaving the bank on the hook for chargebacks?
Ok, and now the answer to that question is, "No, actuarially, we cannot offer you a merchant account backed only by your corporation." Like I said before.
Well, I don't believe that would be the universal answer in most cases, and perhaps where it really is there is a lesson that someone should learn cheaply. But let's assume you're right for the sake of this discussion.
Your response is... what?
That a financial service company with no new clients is not long for the business world.
This is not a serious argument. It suggests that a simple form of contract between two consenting counterparties should be made unlawful, and then, to get around the fact that this would result in a market where small startups would never be able to get merchant accounts, suggests that the entire payment processing market would either restructure itself or be forced to restructure itself to get around that problem.
No. That's not going to happen. I'll go one further: if you so much as sign your name on a contract the wrong way, for instance by leaving out your title, you can easily create situations in which contracts that individual officers of your company sign bind directly to them; for instance, your VP/Engineering could easily sign a contract with a consulting developer that would leave them personally liable to that consultant if the company went out of business and didn't pay the consultant. The VP/Engineering in that scenario didn't even intend to create a personal attachment, and yet cases like this have been decided against people like that.
Similarly, in some states, payroll obligations --- which are contractual, precisely the type of exposure that limited liability covers --- can automatically pierce corporate liability and bind to the owners of the company.
I think you drastically overestimate the protection afforded by limited liability.
This is not a serious argument. It suggests that a simple form of contract between two consenting counterparties should be made unlawful
Which happens all the time, particularly when the parties have unequal bargaining positions, in which case frankly your characterisation of the parties as "consenting" is a stretch at best.
and then, to get around the fact that this would result in a market where small startups would never be able to get merchant accounts
Of course they would. The industry is extremely profitable despite the ever-present risk of fraud, and the rates that merchant account providers charge to start-ups are often at least double what they can get away with for more savvy established businesses. You keep saying that start-ups wouldn't be able to get a merchant account at all if piercing agreements weren't allowed, but you've given no evidence for this and your position defies all logic. As I've argued elsewhere, piercing agreements are unlikely to provide much cover for the merchant account provider most of the time anyway, and I'm quite sure that the people in the industry have concrete figures for things like how often they really have to rely on such agreements and how much of their losses they are really able to recoup in those cases.
suggests that the entire payment processing market would either restructure itself or be forced to restructure itself to get around that problem.
In case you hadn't noticed, the on-line payments industry is restructuring.
For one thing, companies like Stripe are taking traditional merchant account/payment gateway set-ups to the cleaners. Every HN discussion on this topic is full of people who are involved with start-ups bemoaning the lack of alternatives outside the US, and as the new generation of payment companies establishes itself globally, things are only going to get better for merchant-experience-focussed companies like Stripe. The industry giants with their month-plus application processes and hundred-page legalese documents are either going to have to play nicely with the new kids (and I'm betting even a young company like Stripe is already able to negotiate much better terms than their start-up clients could) or lose out in the ever-growing on-line sales market.
Obviously there are already alternatives with different business models like PayPal, and despite the horror stories, they still potentially offer a much better experience to merchants than the old school providers. As offerings from other big names like Google and Amazon improve, and as more companies like Stripe go international, competition will also force PayPal to improve rather than relying on often being the only salesman in town.
And then there's the small issue of companies like GoCardless, who eschew the anachronisms and merchant-hostile terms of the card payment industry entirely. I expect they're going to do pretty well out of that, too.
In short, I think you put way too much faith in dinosaurs. The question isn't if they're going to change, it's only when. The issue for most of us running small companies outside the US right now is just that we're a bit early. I expect in five years time we'll all look back on this conversation and laugh.
The VP/Engineering in that scenario didn't even intend to create a personal attachment, and yet cases like this have been decided against people like that.
I'm not sure what your argument was in that part, but surely you know that as a basic matter of law a contract requires understanding by both parties of what the agreement is, so whatever cases you're thinking of probably weren't as simple as you're suggesting.
Requested it as part of the application. Perhaps I could have avoided the disclosure, but since a merchant account is effectively offering you credit (think about it) leveraging my personal rating yet incurring no liability was a pragmatic win.
The issue is that fraud prevention--like terrorism prevention--means the side that's doing the groping isn't going to tell you exactly what they're doing and why. This leads to a lot of confusion.
If you're a relatively small or young company, the merchant account providers often demand that a principal signs a piercing agreement and personally guarantees the account.
For the first few years I was in business my corporate credit lines were effectively personal credit lines that happened to have my company name on them.
The US wouldn't get a cut of that unless the exchange rate really sucked and that £20,000 was worth more than $90,000. Plus any UK taxes you paid on it (assuming there is a taxation treaty between the UK and US) are deductible from your US tax liability.
In general you have to either live in a country that doesn't have a tax treaty with the US or not pay taxes on your income in the country in which you reside.
That is only true for "Earned Income" if he's not self employed. If he's a web contractor for example, he still has to pay self-employment taxes %15.3 of his UK earned income received from his UK clients, EVEN IF HE LIVES IN THE UK... to the US... fair? really?
