Category Archives: compliance

Articles with news and information about merchant account compliance for businesses in the adult industry by Adult Merchant Services.

adult merchant underwriting

Adult Merchant Underwriting Guidelines

In the merchant account industry, the payment service providers and merchant acquirers are required to follow the procedures established by Visa and MasterCard’s payment card association to complete the proper adult merchant underwriting process while higher risk payment processors and acquiring banks have additional guidelines and requirements to follow when considering an adult merchant account application. Many of these higher risk payment processors and acquiring banks also have their own internal guidelines and protocols in place that they follow in addition to the payment card association guidelines to determine the risk of a prospective business apply for adult merchant services.

Who enforces the adult merchant underwriting guidelines?

The payment card association of Visa and MasterCard has established strict rules and regulations for the members of their payment card network to follow, whether they are underwriting new merchants or are the merchants themselves. These guidelines help insure that the products or services being offered along with the other practices of the merchant members of the network fully abide by all local and federal laws and assist in the maintenance of the card brand reputation.

Underwriters from the various payment service providers, acquirers and other payment facilitating organizations are required to verify that the guidelines set forth in their payment card network agreements are maintained by merchants and prospective merchants before being admitted to the network. Failure to maintain compliance with these guidelines can jeopardize both the merchant’s and the merchant acquirer’s relationship with the card association; resulting in warnings, fines or the possible loss of their card network relationship.

What are the adult merchant underwriting guidelines?

Adult businesses operate in an environment that can open themselves up to many potential legalities or other problems that more conventional businesses do not normally face. This has lead the card brands that are part of the payment card association to create their strict guidelines and provide underwriters and payment service providers with updated information about their concerns and potential problems they may face when reviewing new or auditing existing merchant accounts.

To keep payment services providers updated and informed with the card association guidelines, each member of the payment card association has created their own acquirers program; Visa named their program the Global Brand Protection Program (GBPP) and MasterCard refers to their program as the Business Risk Assessment and Mitigation (BRAM).  Both companies regularly review and update their programs to reflect the changes and concerns that they want to inform acquirers and merchants to.

Though each program has different guidelines and regulations to follow,  higher risk industries share most of the terms and conditions, including the requirements of adult merchants accepting credit cards.  A few of the most important conditions that both companies require are:

  • 2257 Compliance
  • No Child Exploitation
  • No Offensive Adult Pornography
  • Certified Web Scan Completion
  • Members Area/Password Protected
  • Proper MCC Coding

One of the most important requirements of online adult merchants is the 2257 Compliance required by federal law, meaning that whether they produce content or publish content, they have to know that the material being used is within the guidelines of the law. Producers, both the creators of the content and the organizations that publish content, print and/or electronically, must maintain specific records that can be produced upon request by the FBI during unannounced visits, failure to maintain these records or any violations will lead to strict punishments.

Another important audit done by payment service providers checks that the content on the merchant’s website do not portray, reference or otherwise imply any type of offensive pornography, including images or speech from the webmasters or users alike. Using companies such as G2 to run onsite and offsite scans to check for any violations or questionable content is a common practice of underwriters prior to accepting a merchant and periodically during the merchant services agreement.

During the adult merchant underwriting process, the acquirers check that the content published by the merchant is legal and compliant with federal compliance guidelines and are also confirming that the website is not accessible by non paying web browsers. To maintain the security of an adult website and to prevent any potential legal ramifications, it is important for webmasters to install a members area that prevents adult material from being viewed by users that might be underage in the jurisdiction.

One of the final rules that the payment card association enforces is the use of the correct MCC (merchant category code) for the adult businesses. Content providers, publishers and other publications are generally placed in MCC 5967, requiring USA acquirers to charge merchants an annual registration fee for being an adult business.  Adult video stores and similar type businesses are generally placed in MCC 7841 whose merchants are not necessarily required to register with the card association and pay the annual fee.  This is the reason why MCC enforcement confirms that all merchants are properly coded to their correct industry to prevent any problems with the card association or other legal consequences that might be affecting the industry in its entirety.

Why are the adult merchant underwriting guidelines so strict?

The payment card association realizes that the adult industry generates a substantial amount of revenue for the themselves and the banks they partner with, but there are also large risks that come with allowing these merchants to access their payment card network. As an industry that operates in an area that attracts a significant amount of attention, and many times the attention is negative, has the potential for legal problems that can loom overhead.

Insuring that merchants are in compliance with 18 U.S.C. §2257 can help protect the merchant services companies, merchant acquirers and card brands from any potential legal problems that might arise from a violation on the business side.  Merchants can face enormous fines and up to 5 years in jail for their first violation, while companies or individuals that may not be publishing material but are otherwise benefiting from the sales of content can also potentially face large fines and up to a year a prison for a violation of 2257.

How do acquirers keep merchants compliant?

Upon approval with the payment services provider or acquirer, merchants of MCC 5967 are registered as an adult provider with MasterCard of the payment card association. The annual fee for registration in the USA is $500, charged to the merchant by the acquirer informs MasterCard that the acquirer has verified the merchant’s compliance and that the merchant remain in compliance during their tenure as an adult content publisher.

Another way that the acquirer and payment service providers check on merchants in MCC 5967 is by running site wide scans of their content along with offsite scans to verify that no violations or potential violations have occurred since the last yearly review. Protecting both the merchants and acquirers helps keep the adult industry compliant with federal laws and helps fuel its exponential online payments growth year over year.

Where do you start your adult merchant underwriting process?

Merchants operating an adult business that feel they should become compliant with the payment card association guidelines or are processing outside the USA and want to change to a domestic bank are encouraged to speak to one of our adult merchant account professionals. Our team at Adult Merchant Services will be happy to answer any questions or clear up any uncertainties about your company and help direct you to the best solution for your adult credit card processing and adult merchant account needs.

best age verification software

Best Age Verification Software

Age Verification Software for Adult Websites

Operating a safe and secure website is one of the most important functions for any adult webmaster and business and a requirement of adult merchant account providers, but the importance of age verification has become especially important in Europe with the German Government and the Parliament in the London passing legislation requiring better protection of youth’s ability to access adult websites. It has never been more important for merchants today to understand and find the best program to handle their age verification services to insure complete compliance with adult payment processor and new legal regulations.

The first government to begin enacting laws protecting underage internet users from adult material was Germany in 2002 with the passage of Jugendschutzgesetz (Youth Protection Act). This legislation focused on the content providers to insure that they did not deliberately or maliciously provide or make available adult content and products to underage individuals. With stiff penalties including large monetary fines and the possibility of prison, it made online providers check and self regulate themselves to insure that they were not violating the law and eliminated any potential of liability once the act went into effect in 2003.

In the UK, the passage of the Digital Economy Act has taken the Youth Protection Act in German to another level, making it necessary for adult businesses, including online content websites, to insure that every visitor in the UK is verified as being over the age of 18 or risk fines upwards of £250,000 per violation. Though the deadline for the start of the UK law has been pushed back, adult companies are still scrambling to find age verification solutions that offer the functionality required by the new government regulations while providing users the highest level of protection and security of sensitive personal information. Finding this solution has become a challenge that has plagued many adult companies with users in the United Kingdom over the last couple years, opening the door for a new age verification industry.

One of the largest internet based adult content companies, Mind Geek, has come out and supported the UK Government’s new age verification legislation guidelines and set out to provide a solution by creating their own program called AgeID. This new age verification software program will require the name, address, telephone number and date of birth to be provided by users for verification by an outside 3rd party company, ultimately creating verified profiles that will allow users to access their content across all their websites within the Mind Geek network.

Smaller adult companies, including websites with a limited user base or a small UK presence, have been forced to figure out an economical solution to insure their compliance in the coming year. While use of the AgeID across other platforms could be a possible solution for smaller companies, many have raised concerns about having one company becoming the dominant adult age verification software provider, especially a company that is also a competitor in the same industry, concerns that have lead many companies to look elsewhere for solutions.

Best Age Verification Software Programs

There are many different age verification programs available to webmasters, depending on how in depth of a verification process a business wants to put their customers through prior to accessing their website. Some verification programs simply ask users to fill out a popup with their birthday to gain entrance, while other programs will take additional customer information and perform a detailed background check to verify the users identity.

One of the higher rated products and commonly used on WordPress website offers both a free verification and paid version of their program is AgeVerify. While both the free and paid programs from AgeVerify do not provide verified results, it does provide an affordable solution for throttling access to age sensitive websites. The paid version allows for webmasters to customize the background and information displayed on the popup page, customize the length of time user information is retained to prevent repeat age prompts along with offering geographic specific requirements.

With the changing government landscape, the use of popups is slowly becoming an outdated and inefficient means to verify website users. More and more websites have turned to paid services that check each verification request against public databases to determine the validity of the user’s submission. Companies such as Mitek and AgeChecker.Net have developed software that uses a combination of government issued IDs, public database background checks and even facial recognition to insure that the web users are who they claim to be from the IDs provided.

Unlike AgeVerify, the AgeChecker.Net system takes the information input by the web browsers and uses it to verify with 3rd party identification companies that the details are correct – checking name and date of birth records to confirm the indentities. When an ID can not be verified, whether its due to information not being correct or if there is reason to warrant additional information, users will be asked to provide a mobile photo of a government ID to confirm the data on hand.

A more aggressive alternative to AgeChecker.Net is the Mitek Mobile Verify age verification software that provides businesses with additional different layers of ID verification services, some of the most sophisticated available to merchants today. When a user request is made, customer details are checked against the information stored at various identity service providers and images of IDs are checked and confirmed with proprietary software as to their validity. In cases where additional information is needed to render a decision, facial recognition software is used to verify the web user is the person on the ID, providing multiple levels of ID and document verification without requiring users to leave the comforts of their own home.

Why Some Age Verification Software Programs Don’t Work

More basic age verification programs, specifically programs that do not use any external verification services, can allow users to fraudulently enter age or identification information and gain access to the age sensitive website content that is prohibited to underage users. Depending on the guidelines of the business, the requirements of the payment processor for e commerce websites or even the laws governing that industry in a specific jurisdiction, the extent of the age verification services needed to operate can vary drastically.

In the USA, most businesses are protected today by the Computer Fraud and Abuse Act, where an age verification popup allows merchants some legal protection from use by underage individuals by stating their terms and conditions were violated when the user knowing entered false information upon entering their website, a significantly different set of laws when compared to the British government’s new guidelines.

With many choices of age verification software programs available to businesses, it is up to the merchants to decide how they want to verify their users, while some countries have begun requiring extensive age verification programs, others have not opted to place that requirement on businesses. Utilizing a cost effective identity verification program can help businesses build a solid customer base while limiting legal liabilities and other potential fraud stemming from unverified users.

pci compliance

What is PCI Compliance?

PCI Compliance 101

As technology advances and credit card usage increases, the threat to both cardholders and merchants of payment account theft continues to grow.  Large corporations such as Home Depot, Neiman Marcus and TJ Maxx have all fallen victim to data breaches from cybertheft.  These instances end up costing corporations hundreds of millions of dollars and affect the tens of millions of cardholders who used these retailers.  In an attempt to prevent future attacks and protect the information of the cardholders, the PCI Security Standard Council was formed to combat this growing problem.

In 2006, the Payment Card Industry (PCI) council was created to help train and educate vendors, merchants, hardware and software manufacturers along with other financial institutions about fraud and securing customer payment card account information. Through educational material and industry-wide guidelines, PCI security standards were set in place to help combat fraud and provide safe and secure environments for customers shopping online, over the phone or in a retail locations.

Who is the Payment Card Industry?

The Payment Card Industry council, comprised of the members who are responsible for creating the Payment Card Industry Data Security Standard (PCI-DSS) are the largest payment card brands and payment card networks in the financial services industry, including:

  • Visa
  • MasterCard
  • American Express
  • Discover
  • JCB

These members are all responsible for creating, maintaining and updating the PCI standards that vendors, merchants and financial institutions are required to abide by when handling customer card account information.

What is PCI-DSS Compliance and Why Does It Exist?

As technology has evolved and payment cards have grown to become the most common form of payment, the threat of fraud and the cost of payment card theft has also increased. In 2017 alone, over 1 million cases of payment card fraud was reported to the FTC, resulting in over $900 million worth of fraud losses by merchants, financial institutions and credit card networks.

By creating the PCI-DSS standards and requiring financial institutions to ensure vendors and merchants are compliant every year, the Payment Card Industry is working to prevent some forms of credit card fraud. The goals that were set forth by the PCI council include:

  • Building and Maintaining a Secure Payment Network
  • Protecting Cardholder Account Information
  • Maintain a Network Security Management Program
  • Require Strict Access Controls by Merchants
  • Regular Monitoring and Testing of Network Security
  • Maintain a Policy of Security Measure for Network Users

Maintaining a Secure Network: Merchants utilizing credit card terminals, point of sale systems and/or payment gateway applications are required to maintain a firewall to strengthen the network security and lessen the threat of any security breaches. When merchants are set up with new payment card services and equipment, when an employee leaves the business or as an ongoing security precaution; merchants are required to maintain strong passwords that can not be easily guessed and are encouraged to change passwords on a regular basis.

Protecting Cardholder Data: Businesses that store cardholder data for future billing are responsible for maintaining the account information in a secure manner that prevents the possibility of theft or fraud. Account information should never be written down or stored in a physical manner, rather it should be held in a PCI Compliant location that prevents full account information from being accessible. When sending card account information online from a shopping cart through a payment gateway or through a wireless card reader, card account information is required to be encrypted to prevent any possible threats from vulnerable connections or programs.

System Management Programs: Merchants operating e commerce websites or using wifi connections to transmit payment card transactions should maintain a strong system security protocols; whether its by using a secured WiFi connection, utilizing anti virus software on a computer or maintaining a TLS/SSL certificate for e commerce websites, maintaining this high level of protection will help ensure that transactions are sent through secure environments, reducing the chances of information being compromised.

Physical Access Control: One of the most common ways that cardholder account data is lost and compromised is through the physical handling of payment card information. This threat can be limited by controlling the access by employees to the cardholder information, restricting this account information to only individuals that are required to handle the cardholder data. Merchants using POS systems, using a payment gateway or virtual terminal can restrict employee access to cardholder data by implementing user accounts and controlling the permissions within those accounts. Merchants should never store cardholder account information in a physical form, rather utilize a secure PCI compliant storage application to retain this sensitive data.

Ongoing Testing of Networks: PCI Compliance requires merchants to perform annual, if not more frequent, testing of their systems to ensure that all security protocols and programs are functioning properly. These scans are conducted through various companies, whether its sponsored by the merchant acquirer or from an outside company, demonstrating that all parts of the network are fully PCI Compliant.

Maintaining Current Security Policies: Keeping employees, along with the merchants, up to date on PCI regulations and guidelines is one of the best ways to insure that the business remains compliant during the course of the year. By providing ongoing information and training, merchants can make sure that all facets of their business from their website and credit card terminals to their payment gateway and employees are fully aware and current with all aspects of the PCI-DSS regulations.

Why Does PCI Compliance matter?

The members of the Payment Card Industry came together to help create an environment for merchants and customers alike that promoted security and trust among all individuals using the payment card networks. When security is strengthened by all users, it excels the growth of the network by allowing for more customers to feel confident and use their payment cards more often while merchants will realize more sales and larger revenues.

Without guidelines for the network access, merchants and financial institutions along with the payment card brands risk losing the trust of customers, a potential threat that could cripple the industry indefinitely, this is why PCI-DSS standards and guidelines have been established and required the compliance of merchants, vendors and financial institutions.

Non-compliance by companies can create a variety of potential costly and troublesome problems with not only the Payment Card Networks but also a number of different industries closely associated with the financial system. Potential problems that could arise from non-compliance includes:

  • Increased costs of merchant services
  • Fines and penalties from the Payment Card Industry
  • Termination of merchant services by the PCI
  • Costs from legal judgments and any settlements
  • Loss of customer trust with a business
  • Decline in revenues or incomes, potential loss of job
  • Closing of the business

Though some of these scenarios can appear to be extreme, the costs associated with non-compliance can become tremendous if a theft or fraud does occur due to a merchant’s inaction to become or maintain compliance.

Who Needs to be PCI Compliant?

Any business or company that has access provides a payment service or builds hardware to accept payments is required to follow the PCI guidelines for compliance. These businesses include, but are not limited to:

  • Merchants; including all employees regardless of their industry
  • Financial institutions; including merchant acquirers and payment service providers
  • Manufacturers of credit card terminals and POS systems
  • Payment gateway service providers
  • Web hosting companies providing e Commerce hosting services
  • Online shopping cart services
  • e Wallet service providers

Some of these businesses might not directly handle payment card transactions, but the security protocols and services they provide that are used by merchants should at minimum reach the standards set forth by the Payment Card Industry.

How do Merchants become PCI Compliant?

PCI Compliance for smaller companies can be accomplished through self-assessmentss that are provided online by the merchant acquirers. Answering a series of questions as to the practices and methods of payment card acceptance, the merchant acquirer can determine if the business is operating in a way that limits their potential for payment card fraud. Some of the questions that are asked of merchants during their PCI Compliance scan are:

  • If anti-virus security software is used on their computer systems
  • If the merchant uses a firewall to prevent remote access to their computer systems
  • The strength of the passwords and the frequency of which they are changed
  • The type of software they using on their computers
  • The name of their payment gateway service
  • The name of other security services providers (SSL
  • The types of credit card terminals (if they accept EMV chip cards)
  • The practices of employees for accepting payments ( mail order, phone order and in store)
  • How card account information is stored for future billing purposes

Merchants that are located in throughout the world are required to maintain their PCI Compliance, while the level of compliance and the dates that compliance is required by might vary, the program does exist throughout the world where payment card transactions are accepted.

Merchants are classified as one of a 4 levels depending on the amount of transactions per year that they are processing through their networks. Larger merchants require additional security measures than smaller merchants. The levels of PCI Compliance are determined by the following:

  • Level 1 – More than 6,000,000 transactions annually
  • Level 2 – Between 1,000,000 and 5,999,999 transactions annually
  • Level 3 – Between 20,000 and 999,999 transactions annually
  • Level 4 – Less than 20,000 transactions annually

Level 1 merchants are required to do the annual self assessment questionnaire along with an annual onsite audit conducted by a certified security assessor. Merchants in levels 2 – 4 are required to complete a yearly self assessment questionnaire and partake in a remote scan of their merchant hardware and software.

Who Checks that Companies are PCI Compliant?

Level 1 merchants along with third party payment processors that are connected to VisaNet and MasterCard are required to participate in yearly onsite audits of their software, hardware and procedures. Level 2-4 merchants have remote scans available to them to audit their business in a rather quick and simple process, some annual audits can be finished in under 10 minutes.

Onsite PCI DSS compliance audits are administered by Qualified Security Assessors (QSA) that are located throughout the world, servicing various regions, countries and markets. With well over 100 different companies throughout the world that are recognized as qualified by the Payment Card Industry as authorized assessors, merchants and payment processors can rather quickly find an assessor to audit their company.

Questions about PCI Compliance for Adult Merchants

Merchants and other companies operating in the adult industry that have any questions or concerns about their current PCI Compliance or about becoming PCI Compliant can contact one of our adult merchant account professionals at Adult Merchant Services. Our team will be happy to speak with any merchants and help direct them in the right direction.