CC processor suggestion needed ASAP!

40 replies [Last post]
Arks's picture
Online
Joined:
05/22/2010

An update. A sad update to my September report about a hacker posting thousands of CC authorizations to my Authorize.net account. I had considered it a major headache to have to delete thousands of transaction authorization emails from this hacker account. But now...

...I got my monthly bank statement. My monthly payment to use the services of Authorize.net is generally around $50, sometimes a few dollars more or less, but always in that range. My Oct. Authorize bill was $1,007.15! They say it's because they processed 9492 authorizations for me in September! I have to pay for all those hacker transactions!!

It gets worse.On the same bank statement from is a "Bank Card Processing" fee of $2,444.95. Authorize says this is not from them, but would be from my "Merchant Service Provider", whatever that is. Apparently they also have a per-transaction charge.

I do recall that authorize only does the authorizing, then they pass it along to someone else to do the actual transaction of taking money from the customer and passing it on to me. So I guess the $2,444.95 is from them, for processing...nothing!

I'm sick, and Authorize doesn't seem to care. So I need to switch my ResKey processing from Authorize ASAP. Can someone suggest a service that provides real-time CC processing in ResKey the way Authorize does?

__________________

All saints can do miracles, but few of them can keep hotel. ~ Mark Twain

 

Arks's picture
Online
Joined:
05/22/2010

After many emails back and forth, I finally got most of my money back from both Authorize and my "Merchant Services" company, so I only lost about $150 in the bot attacks. Much better than the several thousand I was originally hit with.

After a month on Stripe, I got my bank statement this week and can see another huge benefit of Stripe, and similar processors like Square: they hold out their part up front and only deposit your part.

With my old Merchant Services, they deposited to my checking account the full amount of the charge, then debited back out their 2.5% or whatever it was. So at the end of the month, to reconcile my checking acct., I had to enter all those little $3.65-sized debits into my check register, one for every card I charged during the month. A lot of tedious work. Now that's all gone and it's much faster to do my monthly reconcile.

As a bonus, there's also not that monthly $45 to $60 charge from Authorize. Stripe doesn't have any extra charges. They just take their cut at the time of charge, and that's it.

I'm not sure, but I'm also thinking they won't require the yearly PCI training the regular charge card companies made me do. I know Square has never required that for the charges I run through Square.

Loving it!

Morticia's picture
Offline
Joined:
05/22/2008

My bank charges a fee for any number of transactions over 25. What you're talking about would kill me! Also, to avoid that with Square deposits, I had them put in a separate account that only does those deposits. On Monday I transfer the $$$ to the checking (or savings if we did really well!)

__________________

What a long, strange trip it’s been.

 

Arks's picture
Online
Joined:
05/22/2010

As you may recall from above, the bot attack cost me $1,007.15 in authorization fees at Authorize.net and $2,444.95 in "per transaction" fees from "merchant services" who take the ball from Authorize and run it own down the field.

Authorize doesn't care to talk about it, but Merchant Services says they will split the cost with me, meaning that they're going to refund half the $2444 they charged me in this fiasco. I'm very happy to be getting over $1000 back on this, and I learned a lot of lessons...as usual, the hard way!

Lee2014's picture
Offline
Joined:
12/11/2014

  At the north inn we have the internet accounts connected to a different bank account than our inn and we just transfer the funds over to our other account as an extra caution.  We use stripe and are content with them.

__________________

Have a great day!

 

Arks's picture
Online
Joined:
05/22/2010

Lee2014 wrote:

We use stripe and are content with them.

So far, so good with Stripe. Wish I had switched over years ago. It was easy. I'd worried about losing all the CC numbers stored in Authorize.net, but Reservation Key makes it so easy to send old reservations a secure online payment link to pay their balance due via Stripe now, and on new reservations Stripe saves the info so I can charge the balance directly.

Lee2014's picture
Offline
Joined:
12/11/2014

Arks wrote:

Lee2014 wrote:

We use stripe and are content with them.

So far, so good with Stripe. Wish I had switched over years ago. It was easy. I'd worried about losing all the CC numbers stored in Authorize.net, but Reservation Key makes it so easy to send old reservations a secure online payment link to pay their balance due via Stripe now, and on new reservations Stripe saves the info so I can charge the balance directly.

Good!yes

Offline
Joined:
09/26/2011

Reskey works with Stripe.  I tried to send the link to the reskey info page, but was unable to do so due to spam filter here. 

 

Edited to add - looks like you have already made this move.  

Hillbilly's picture
Offline
Joined:
10/22/2011

This isn’t because of Aut.net. I had this same thing happen last week when a bot was attached to our REskey account. I was not able to process for 5 days because 26,000 cards attempted to be authorized. Our merchant is the one who shut us down and we had to go in and get a new account. It was a major hassle. I will have to look at our bill. But I know the main cause was because REskey does not have a Captcha when someone try’s to make a reservation. So this allows a bot to attach and runs thousands of cards without you knowing. REsKey needs to fix this.

__________________

Hillbilly

 

Baygirl's picture
Offline
Joined:
05/26/2009

We also had a bot attach to our rezkey acct.  and it still seems to be happening.  John has tried a few things but nothing seems to work.  I can tell it's still happening because I have multiple searches on my activity with the same ip address... I don't know how to get rid of the bot.  John has recommended I put something on our site to track but I haven't had time to go in and do this yet.  Are you still having issues with the bot?

Arks's picture
Online
Joined:
05/22/2010

Baygirl wrote:

Are you still having issues with the bot?

After the heavy attack in September, I got no attack activity in October after I instituted the daily limit in Authorize. But about a week ago I had another one. About 75 attempts. Bad, but not as bad as before.

Friday I got a new Authorize "transaction key" and installed it in ResKey. It as easy to do and I've received new reservations since I installed it, so it didn't mess anything up. I'm assuming if the bot is using the old key, their attacks won't work anymore.

But I've decided to switch to Stripe because over time it will be a lot cheaper than Authorize. Stripe charges a flat rate of 2.9% + 30¢ per successful card charge. No other charges.

I'm guessing "per successful card charge" means I only pay on the ones that actually charge money. Stripe has no setup fees, no monthly fees, no payout fees, no minimum charges, no validation fees, and no charge for them to store the card numbers for use in future charges. There's no "merchant services" middle man to also pay. Stripe takes the money and sends it directly to my bank account with no middle man.

Baygirl's picture
Offline
Joined:
05/26/2009

I don't use Rez for payments.. I enter the deposits manually when a reservation gets made.  How does stripe work for incidentals if the guest orders an upsell?  Do you manually enter any charges on stripe?  

Arks's picture
Online
Joined:
05/22/2010

Baygirl wrote:

I don't use Rez for payments.. I enter the deposits manually when a reservation gets made.  How does stripe work for incidentals if the guest orders an upsell?  Do you manually enter any charges on stripe?  

You can do it both ways. I have ResKey/Stripe take the downpayment (first night's fee) automatically when they make the reservation, then I'll manually charge their card in ResKey/Stripe for the balance, if any, when they arrive. Stripe securely saves the CC info so I don't have to face all the security regulations to keep it at my end.

JimBoone's picture
Offline
Joined:
12/18/2014

Maybe an option provided on aut.net, but I know that being small I will never have a large volume of business, I think we were set to allow only 100 authorizations a day and after all these problems came to light I’ve reduced that number even more.

__________________

Jim & Maxine

 

Morticia's picture
Offline
Joined:
05/22/2008

JimBoone wrote:

Maybe an option provided on aut.net, but I know that being small I will never have a large volume of business, I think we were set to allow only 100 authorizations a day and after all these problems came to light I’ve reduced that number even more.

Well that certainly sounds like a solution - a reasonable limit on daily transactions.

Even in peak season I doubt most of us do more than 20 or so transactions/day. It's not like any of us have tons of rooms.

Even if I had to hold off processing some deposits because we had a whole house check in, that would be ok.

JimBoone's picture
Offline
Joined:
12/18/2014

I can set a transactions per day and transactions per hour limits, while it might not totally prevent the issue it would slow it down and make it less useful to the intruder.

Working through bank as I do, I only use auth.net for a smaller online deposit, I run check ins through a desk terminal so wouldn’t be limited by arriving guests

Generic's picture
Offline
Joined:
02/24/2011

I do offline processing and/or Square processing. Square with RK is a pain because you have to reauthorize the token from time to time.

__________________

Permission to quote in whole or in part, other than usage on this forum, is entirely forbidden.

 

Morticia's picture
Offline
Joined:
05/22/2008

Generic wrote:

I do offline processing and/or Square processing. Square with RK is a pain because you have to reauthorize the token from time to time.

I also do everything offline. It does take more time, but I'm nervous about these sorts of breaches. It does seem like no one is taking responsibility for it. I know some users on the RK forum said they were contacted by people asking why they were trying to run their card.

I was approached by another reservation software company saying she knew we were on RK and was I aware they were breached? However, no one is saying they know what happened.

Arks's picture
Online
Joined:
05/22/2010

Morticia wrote:

I know some users on the RK forum said they were contacted by people asking why they were trying to run their card.

I was approached by another reservation software company saying she knew we were on RK and was I aware they were breached? However, no one is saying they know what happened.

Yes I had one contact me asking why I'd tested their CC number. I advised them that I didn't do it and their CC number was probably compromised and to notify their CC company, and they were grateful for the info. It wasn't a CC ResKey had ever processed. It was one that was compromised elsewhere, they just used the ResKey info to test it.

Anyway, when I switch away from Authorize, the RK breach won't be in play anymore so I'm comfortable staying with RK...unless it happens again! I mean, we MUST use someone, and they are all vulnerable. If major companies like Yahoo, Marriott, eBay, Target, even Equifax have been breached, these little reservation processors are easy pickings. It could/will happen to any of them.

Morticia's picture
Offline
Joined:
05/22/2008

I told the caller it was Authorize that was breached, and we don't use them. Yes, they are all vulnerable. Problem lies in taking their failure to protect the system out on the small guy. And you ending up with a $3500 bill!

Hillbilly's picture
Offline
Joined:
10/22/2011

It’s REskey that is the issue. They need to install a captcha during the reservation process 

Morticia's picture
Offline
Joined:
05/22/2008

Hillbilly wrote:

It’s REskey that is the issue. They need to install a captcha during the reservation process 

No reservation system has that. At least not any one that I've used to make a hotel reservation. The system I used for years for my own place didn't have that.

If it's RK that's the problem, then yes, there needs to be a fix such as shutting off after x number of attempts in y minutes.

 

Arks's picture
Online
Joined:
05/22/2010

Morticia wrote:

No reservation system has that. At least not any one that I've used to make a hotel reservation. The system I used for years for my own place didn't have that.

If it's RK that's the problem, then yes, there needs to be a fix such as shutting off after x number of attempts in y minutes.

yes

Arks's picture
Online
Joined:
05/22/2010

Generic wrote:

I do offline processing and/or Square processing. Square with RK is a pain because you have to reauthorize the token from time to time.

Thanks for the tip on avoiding Square. I'm wanting instant, automatic charging of the deposit at reservation time, so I'm looking at Yapstone and GoEMerchant/FirstPayment. I've known for a long time that Authorize is more expensive than most, but I've resisted changing because when you do, all your stored card info is lost so I'd have to re-run the cards on all existing reservations. But the current situation makes it absolutely necessary. Almost $4000 lost to this crazy hacker assault!

Generic's picture
Offline
Joined:
02/24/2011

Square does the charge instantly, but the authorization token in RK doesn't renew automatically. It's about 60 days, I think.

JerseyBoy's picture
Offline
Joined:
12/29/2016

Can you let me know what rate Square charges when using RK?

 

Arks's picture
Online
Joined:
05/22/2010

JerseyBoy wrote:

Can you let me know what rate Square charges when using RK?

Stripe takes 2.9% + 30¢ per successful card charge.
You don't pay anything if there is no charge made to the card.

Square takes 2.6% + 10¢ per tap, dip, or swipe, but Generic pointed out that Square with RK is a pain because you have to reauthorize the token from time to time. So I went with Stripe.

JerseyBoy's picture
Offline
Joined:
12/29/2016

Thanks.   I guess what I am wondering about Square is what is the rate when a charge is made directly through RK?   This would not be a tap, dip, or swipe through one of their readers but something keyed into the RK software.

As another data point for folks, I am currently using InnPayments (Yapstone) which just raised its rates to 2.9% but no transaction fee.

 

Morticia's picture
Offline
Joined:
05/22/2008

Did you try asking this on the rk forum? Might be easier to get the right combo of square + rk. I'd be interested to know the answer.

I do all the processing manually now, but always thinking about automating deposits.

gillumhouse's picture
Offline
Joined:
05/22/2008

Mort said:     Did you try asking this on the rk forum? Might be easier to get the right combo of square + rk. I'd be interested to know the answer.

Had a thought, could you have the rez generate a Square invoice filling in the blanks from the reservation like (guest name) for the guest to enter cc# ?

JerseyBoy's picture
Offline
Joined:
12/29/2016

Thanks.  I will do that.

gillumhouse's picture
Offline
Joined:
05/22/2008

You can send the guest an invoice and THEY input the credit card number. That  processes like a card present. Square sends the day's charges as one deposit - so it is one transaction, not 10 with the bank.

JerseyBoy's picture
Offline
Joined:
12/29/2016

Are you sending the invoice from Square or from ResKey (using the payment due link).

gillumhouse's picture
Offline
Joined:
05/22/2008

I sent it from Square. And 3.09% still beat the 3.75% manual entry fee. The Square fees are lovely compared to what the proccessor was charging me with no way to know for sure it was correct. Some of THEIR fees were close to 5% and I had no way to know which cards were the higher fees. The processor tagged almost every card as non-qual and when I asked what that was , they said extra  processing as in manual entry (I swiped them) and/or third party card (like Sierra Club or some special interest card) and corporate cards had higher fees. With Square I even take AMEX - they are all the same rate.

Generic's picture
Offline
Joined:
02/24/2011

Why don't you set up square payment and just sent a link to ReservationKey? You have to renew Square every 30 days or so, but it takes the payment.

gillumhouse's picture
Offline
Joined:
05/22/2008

This was the first time I had a card not going to be present. So I tried the invoice method. Worked seamlessly. The purchaser was happy and so was I. I do not do deposits.

JerseyBoy's picture
Offline
Joined:
12/29/2016

Thanks for the information.

seashanty's picture
Offline
Joined:
06/02/2008

My god! This level of fraud and you’re getting the runaround? Sorry I can’t offer a suggestion, just my sympathy. 

angry

gillumhouse's picture
Offline
Joined:
05/22/2008

Good lord!!! I wonder if the hacker was attached to the processor. There should be protectection against hackers like there is for unauthorized charges. THAT is a double horrible hit.

Arks's picture
Online
Joined:
05/22/2010

gillumhouse wrote:

Good lord!!! I wonder if the hacker was attached to the processor. There should be protectection against hackers like there is for unauthorized charges. THAT is a double horrible hit.

Out of all the ResKey users, only about 4 of us have reported this. No way of knowing if it came through a weakness in ResKey, or Authorize, or the "merchant services" company. And none of them have a word to say about it, of course.

I went by my bank to try to find out who the $2664 "bankcard processing fee" went to, and they don't know. They said "talk to the CC processor." And of course Authorize said "talk to your bank". Grrr.

JimBoone's picture
Offline
Joined:
12/18/2014

Dumb questions perhaps, do you normally get a much smaller “bank card processing fee” and know that this isn’t also a hack?

I run guest cards through a terminal on the desk when they arrive, and a deposit through Authorize.net online, however the terminal and authorize account are through my local bank, maybe more expensive, I don’t know, but at times like this worth it to me to know I can get help from a local person.

It sure seems someone at the bank could identify what company made the charge even if the bank has no connection 

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.