Neither Rain Nor Sleet Nor Snow Nor Dark of Night

Put Your Gateway to the Test
by J. David Oder

The motto of the United States Postal Service. Of course, we are all aware that the Post Office no longer lives up to this lofty motto. However, when it comes to credit card processing, and more directly to credit card gateways, this is a motto that should be followed. Since your organization is dependent on credit cards for the majority of your income and cash flow, you cannot accept service that can be interrupted, period.

With Hurricane Charlie and Frances in the news as of late, this is an issue that has been brought to the forefront, and it should be a concern for everyone, not just those that are using gateways or credit cards services that are located in Florida . The thought of loosing one's credit card processing capability or support for several hours, days, or even weeks merely because your gateway is in the path of the storm, could be hit by lightening, destroyed by a tornado, an earthquake or a sever snow storm is a concern for everyone, everywhere.

We shouldn't kick Florida while they are down, but we all must be aware how important it is to have a credit card gateway that would not be affected by a natural disaster or in the worst case by an act of terrorism.

Visa's Cardholder Information Security Program (CISP) has one domain (or section) on Disaster Recovery. Their belief is that security is not just for loss from thieves (electronic or actual) it is also being secure in the fact their cards can always be used no matter what the circumstances.

The big boys like Visa, MasterCard, and American Express and many others have good systems. However, on that terrible day in September 2001 when the twin towers fell, American Express was hit as well. If their data center was like many of the gateways no one would have been able to use an American Express Card on September 12th, but that was not the case. Why? Because American Express had redundant data centers. When one was hit, the other took over. While there was some loss of service and even some loss of quality of service, merchants could still accept and cardholders could still continue to use American Express.

When choosing a gateway, it is important not to just look at how much it costs, how fast it is, or how it works; it is important to make sure that it will keep working, no matter what. Otherwise, the question becomes, “how much does it cost me to be down?”

Some of the costs are “out of pocket” actual costs, and others are costs that will never really be known, like how much business was lost because of poor guest services.

Out of pocket costs include the cost of using the call center for authorizations, the cost of transactions downgrading from electronic to manually keyed, the cost of increased clerk labor, and the cost of additional accounting. The costs that are not seen are guests that get disturbed over additional time at check-in because you are forced to use a manual process when the gateway is down. Guests have choices and many will choose an alternative if their “guest experience” is burdensome.

When looking at your current gateway or any gateway that you are considering, here are a number of questions that you should get substantiated answers to:

1. Is the gateway CISP, SDP, etc. certified? That is, are they listed on Visa's list of firms that have been independently audited to comply with the 12 domains of the Visa Cardholder Information Security Program. Remember, compliancy is not certification. Ask the gateway provider to prove their certification.

2. Is the gateway registered with the various card associations? Ask for registration numbers.

3. Does the gateway have redundant datacenters? One goes down, the other takes over. This keeps you up in the event of a terrorist act or a catastrophe like a building being destroyed by an unforeseen accident.

4. Are the gateway data centers in areas not prone to natural disasters, like hurricanes, earthquakes, tornados, snowstorms, etc? Some states like Florida and California have their share of natural disasters. When mandatory evacuations take place, even if the systems stay up, support centers may not be manned.

5. Are the gateway data centers backed up by generator so they can stay up even when the power is down? The grid going down in one state can affect another state, as we saw in the North Eastern black out of a year or so ago.

6. Do the gateway data centers have redundant connectivity to your company? A single carrier can go down in an area affecting your ability to connect to your chosen gateway.

7. If their connectivity is over the Internet, do they have multiple Internet carriers? While the Internet is becoming more and more stable, Internet carriers still can go down.

8. Are the gateway's multiple Internet carriers over diverse technologies like telecommunications, cable, microwave, satellite, etc.? This protects against the dreaded farmer or contractor with a backhoe that digs up a fiber upon which multiple telecommunications providers depend.

9. Is your data regularly backed up by the gateway? While computers are becoming more and more reliable, it would be a disaster if your data were lost because of a hard disk or computer failure.

10. Is your data maintained in two locations? It is great if there are two data centers, but if your historical data is only located at one, you are still affected by potential disaster.

11. Can you backup your own data? Even the best backup systems sometimes fail and having your historical data in your possession could become critical.

12. Does the gateway have a policy of being up 24/7? A gateway, which has to be down an hour or more each day for maintenance, is just as bad as a gateway that goes down because of natural disaster, power outage, telecommunications outage, or a catastrophic accident. It is always “peak time” somewhere.

13. Does the gateway have multiple connections to the processors it services? Individual leased lines can go down, and while they are under control of the processors, you are still down.

14. Does the gateway publicly publish their up-time statistics? Those that have good statistics are proud of them and want the world to know. Those that don't publish them, usually have a reason for not doing so.

The right answers to all of these questions are critical. But your experience and the experience of others should be taken into account. Look critically at the statistics. A gateway, which can answer yes to all of these questions, can still be down a lot merely because the system itself is weak and was not built with reliability in mind.

We can't change the Post Office, because they no longer live up to their motto, but we can make sure that our credit card processing can weather any storm.

About the Author

J. David Oder is President/CEO of Shift4 Corporation, a Las Vegas , Nevada firm, which supplies Electronic Payment Applications and Services to Hospitality Merchants worldwide. Shift4's CISP Certified and registered ASP application DOLLARS ON THE NET^® reliably processes over $10,000,000,000 of transactions (credit, debit, private label and dynamic currency conversion) annually, providing high-speed connectivity between the nation's most prominent software providers, at the point of sale, and the world's best credit card processors, large and small.