CC processor suggestion needed ASAP!

22 replies [Last post]
Arks's picture
Offline
Joined:
05/22/2010

An update. A sad update to my September report about a hacker posting thousands of CC authorizations to my Authorize.net account. I had considered it a major headache to have to delete thousands of transaction authorization emails from this hacker account. But now...

...I got my monthly bank statement. My monthly payment to use the services of Authorize.net is generally around $50, sometimes a few dollars more or less, but always in that range. My Oct. Authorize bill was $1,007.15! They say it's because they processed 9492 authorizations for me in September! I have to pay for all those hacker transactions!!

It gets worse.On the same bank statement from is a "Bank Card Processing" fee of $2,444.95. Authorize says this is not from them, but would be from my "Merchant Service Provider", whatever that is. Apparently they also have a per-transaction charge.

I do recall that authorize only does the authorizing, then they pass it along to someone else to do the actual transaction of taking money from the customer and passing it on to me. So I guess the $2,444.95 is from them, for processing...nothing!

I'm sick, and Authorize doesn't seem to care. So I need to switch my ResKey processing from Authorize ASAP. Can someone suggest a service that provides real-time CC processing in ResKey the way Authorize does?

__________________

All saints can do miracles, but few of them can keep hotel. ~ Mark Twain

 

Anon Inn's picture
Offline
Joined:
09/26/2011

Reskey works with Stripe.  I tried to send the link to the reskey info page, but was unable to do so due to spam filter here. 

 

Edited to add - looks like you have already made this move.  

Hillbilly's picture
Offline
Joined:
10/22/2011

This isn’t because of Aut.net. I had this same thing happen last week when a bot was attached to our REskey account. I was not able to process for 5 days because 26,000 cards attempted to be authorized. Our merchant is the one who shut us down and we had to go in and get a new account. It was a major hassle. I will have to look at our bill. But I know the main cause was because REskey does not have a Captcha when someone try’s to make a reservation. So this allows a bot to attach and runs thousands of cards without you knowing. REsKey needs to fix this.

__________________

Hillbilly

 

Baygirl's picture
Offline
Joined:
05/26/2009

We also had a bot attach to our rezkey acct.  and it still seems to be happening.  John has tried a few things but nothing seems to work.  I can tell it's still happening because I have multiple searches on my activity with the same ip address... I don't know how to get rid of the bot.  John has recommended I put something on our site to track but I haven't had time to go in and do this yet.  Are you still having issues with the bot?

Arks's picture
Offline
Joined:
05/22/2010

Baygirl wrote:

Are you still having issues with the bot?

After the heavy attack in September, I got no attack activity in October after I instituted the daily limit in Authorize. But about a week ago I had another one. About 75 attempts. Bad, but not as bad as before.

Friday I got a new Authorize "transaction key" and installed it in ResKey. It as easy to do and I've received new reservations since I installed it, so it didn't mess anything up. I'm assuming if the bot is using the old key, their attacks won't work anymore.

But I've decided to switch to Stripe because over time it will be a lot cheaper than Authorize. Stripe charges a flat rate of 2.9% + 30¢ per successful card charge. No other charges.

I'm guessing "per successful card charge" means I only pay on the ones that actually charge money. Stripe has no setup fees, no monthly fees, no payout fees, no minimum charges, no validation fees, and no charge for them to store the card numbers for use in future charges. There's no "merchant services" middle man to also pay. Stripe takes the money and sends it directly to my bank account with no middle man.

Baygirl's picture
Offline
Joined:
05/26/2009

I don't use Rez for payments.. I enter the deposits manually when a reservation gets made.  How does stripe work for incidentals if the guest orders an upsell?  Do you manually enter any charges on stripe?  

Arks's picture
Offline
Joined:
05/22/2010

Baygirl wrote:

I don't use Rez for payments.. I enter the deposits manually when a reservation gets made.  How does stripe work for incidentals if the guest orders an upsell?  Do you manually enter any charges on stripe?  

You can do it both ways. I have ResKey/Stripe take the downpayment (first night's fee) automatically when they make the reservation, then I'll manually charge their card in ResKey/Stripe for the balance, if any, when they arrive. Stripe securely saves the CC info so I don't have to face all the security regulations to keep it at my end.

JimBoone's picture
Offline
Joined:
12/18/2014

Maybe an option provided on aut.net, but I know that being small I will never have a large volume of business, I think we were set to allow only 100 authorizations a day and after all these problems came to light I’ve reduced that number even more.

__________________

Jim & Maxine

 

Morticia's picture
Offline
Joined:
05/22/2008

JimBoone wrote:

Maybe an option provided on aut.net, but I know that being small I will never have a large volume of business, I think we were set to allow only 100 authorizations a day and after all these problems came to light I’ve reduced that number even more.

Well that certainly sounds like a solution - a reasonable limit on daily transactions.

Even in peak season I doubt most of us do more than 20 or so transactions/day. It's not like any of us have tons of rooms.

Even if I had to hold off processing some deposits because we had a whole house check in, that would be ok.

__________________

Never judge a person's story by the chapter you walked in on.

 

JimBoone's picture
Offline
Joined:
12/18/2014

I can set a transactions per day and transactions per hour limits, while it might not totally prevent the issue it would slow it down and make it less useful to the intruder.

Working through bank as I do, I only use auth.net for a smaller online deposit, I run check ins through a desk terminal so wouldn’t be limited by arriving guests

Generic's picture
Offline
Joined:
02/24/2011

I do offline processing and/or Square processing. Square with RK is a pain because you have to reauthorize the token from time to time.

__________________

Permission to quote in whole or in part, other than usage on this forum, is entirely forbidden.

 

Morticia's picture
Offline
Joined:
05/22/2008

Generic wrote:

I do offline processing and/or Square processing. Square with RK is a pain because you have to reauthorize the token from time to time.

I also do everything offline. It does take more time, but I'm nervous about these sorts of breaches. It does seem like no one is taking responsibility for it. I know some users on the RK forum said they were contacted by people asking why they were trying to run their card.

I was approached by another reservation software company saying she knew we were on RK and was I aware they were breached? However, no one is saying they know what happened.

Arks's picture
Offline
Joined:
05/22/2010

Morticia wrote:

I know some users on the RK forum said they were contacted by people asking why they were trying to run their card.

I was approached by another reservation software company saying she knew we were on RK and was I aware they were breached? However, no one is saying they know what happened.

Yes I had one contact me asking why I'd tested their CC number. I advised them that I didn't do it and their CC number was probably compromised and to notify their CC company, and they were grateful for the info. It wasn't a CC ResKey had ever processed. It was one that was compromised elsewhere, they just used the ResKey info to test it.

Anyway, when I switch away from Authorize, the RK breach won't be in play anymore so I'm comfortable staying with RK...unless it happens again! I mean, we MUST use someone, and they are all vulnerable. If major companies like Yahoo, Marriott, eBay, Target, even Equifax have been breached, these little reservation processors are easy pickings. It could/will happen to any of them.

Morticia's picture
Offline
Joined:
05/22/2008

I told the caller it was Authorize that was breached, and we don't use them. Yes, they are all vulnerable. Problem lies in taking their failure to protect the system out on the small guy. And you ending up with a $3500 bill!

Hillbilly's picture
Offline
Joined:
10/22/2011

It’s REskey that is the issue. They need to install a captcha during the reservation process 

Morticia's picture
Offline
Joined:
05/22/2008

Hillbilly wrote:

It’s REskey that is the issue. They need to install a captcha during the reservation process 

No reservation system has that. At least not any one that I've used to make a hotel reservation. The system I used for years for my own place didn't have that.

If it's RK that's the problem, then yes, there needs to be a fix such as shutting off after x number of attempts in y minutes.

 

Arks's picture
Offline
Joined:
05/22/2010

Morticia wrote:

No reservation system has that. At least not any one that I've used to make a hotel reservation. The system I used for years for my own place didn't have that.

If it's RK that's the problem, then yes, there needs to be a fix such as shutting off after x number of attempts in y minutes.

yes

Arks's picture
Offline
Joined:
05/22/2010

Generic wrote:

I do offline processing and/or Square processing. Square with RK is a pain because you have to reauthorize the token from time to time.

Thanks for the tip on avoiding Square. I'm wanting instant, automatic charging of the deposit at reservation time, so I'm looking at Yapstone and GoEMerchant/FirstPayment. I've known for a long time that Authorize is more expensive than most, but I've resisted changing because when you do, all your stored card info is lost so I'd have to re-run the cards on all existing reservations. But the current situation makes it absolutely necessary. Almost $4000 lost to this crazy hacker assault!

Generic's picture
Offline
Joined:
02/24/2011

Square does the charge instantly, but the authorization token in RK doesn't renew automatically. It's about 60 days, I think.

seashanty's picture
Offline
Joined:
06/02/2008

My god! This level of fraud and you’re getting the runaround? Sorry I can’t offer a suggestion, just my sympathy. 

angry

gillumhouse's picture
Offline
Joined:
05/22/2008

Good lord!!! I wonder if the hacker was attached to the processor. There should be protectection against hackers like there is for unauthorized charges. THAT is a double horrible hit.

Arks's picture
Offline
Joined:
05/22/2010

gillumhouse wrote:

Good lord!!! I wonder if the hacker was attached to the processor. There should be protectection against hackers like there is for unauthorized charges. THAT is a double horrible hit.

Out of all the ResKey users, only about 4 of us have reported this. No way of knowing if it came through a weakness in ResKey, or Authorize, or the "merchant services" company. And none of them have a word to say about it, of course.

I went by my bank to try to find out who the $2664 "bankcard processing fee" went to, and they don't know. They said "talk to the CC processor." And of course Authorize said "talk to your bank". Grrr.

JimBoone's picture
Offline
Joined:
12/18/2014

Dumb questions perhaps, do you normally get a much smaller “bank card processing fee” and know that this isn’t also a hack?

I run guest cards through a terminal on the desk when they arrive, and a deposit through Authorize.net online, however the terminal and authorize account are through my local bank, maybe more expensive, I don’t know, but at times like this worth it to me to know I can get help from a local person.

It sure seems someone at the bank could identify what company made the charge even if the bank has no connection 

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.