IBABC/Moneris Preferred Merchant Program



IBABC members: be sure you're getting the preferred merchant rate

Members will remember all too well that in 2010 the major credit-card companies raised merchant fees to reflect the increased security features required in the marketplace. IBABC's agreement for a member-preferred rate came up for renewal around this time, so we undertook a thorough review of rates offered by all card-processing providers. Earlier this year we negotiated new member rates with Moneris.

The IBABC/Moneris Preferred Merchant Program allows members of the association to receive discounted rates on their terminal rentals, credit-card processing and Interac processing fees. These rates are very competitive, especially for the category that represents the majority of transactions processed by brokers: the over-the-phone or email transactions, otherwise known as card-not-present transactions.

These transactions usually have higher rates because in an average retail setting, they have the highest risk of fraud. The risk in the insurance industry for these transactions is much lower because brokerages have more information about the customer, so Moneris has given IBABC's members a rate that reflects our industry's lower risk. If you are comparing rates to other providers, this is the rate worth looking at closely.

If you are a Moneris customer but didn't stipulate when you set up the account that you are an IBABC member, you may not be getting the member rate. Check your invoice from Moneris. The member rate for card-not-present transaction on a Visa consumer card is currently 1.74%; for a MasterCard consumer card, 1.83%.

To switch your existing Moneris account to the IBABC Moneris Preferred Merchant program, or to switch over to it from another vendor, please contact Jennifer Lipke, membership and event coordinator at IBABC, 604-606-8002.

In addition, Moneris also offers eSelectplus as an online alternative to the traditional card-swipe terminals. This could be an advantage if your business does not have many "card present" transactions or if you process transactions directly from your website.

Best practices for payment-card security

In a typical brokerage, brokers are processing payments from walk-in customers, receiving credit card information by email or fax, and printing credit-card information and storing the paper copies in cabinets or at off-site storage facilities.

The brokerage is responsible for meeting security standards relating to all these payment-card transactions (typically, their insurers would be responsible for the transactions sent through the insurers' broker portal). The compliance standards for payment-card transactions are required by the system provider, such as Moneris, and may also be stipulated in insurers' contracts with brokerages.

Depending on the size of the brokerage, the number of employees and the complexity of its network, it could be simple or very complex to become compliant. On the simple end is an office with only one credit-card terminal connected to a dedicated phone line. At the other extreme is the complex operation with Voice-over Internet Protocol (VoIP) systems, large networks with no segregation between servers, and websites that accept online payments.

The payment card industry (PCI) works cooperatively through the PCI Security Standards Council to develop internationally accepted standards and to educate users about them. The Council's founders, which include American Express, MasterCard and Visa, have agreed to Data Security Standards (PCI DSS) as the technical requirements for all their data security compliance programs world-wide.

Compliance with the PCI DSS is mandatory. If a merchant's operation and service providers are not compliant with PCI DSS, the card associations can levy fees and fines and terminate credit-card processing services.

The PCI DSS outlines 12 basic requirements that define security best practices:

Build and maintain a secure network:

1. Install and maintain a firewall configuration to protect cardholder data.
2. Do not use vendor-supplied defaults for system passwords and other security parameters.

Protect cardholder data:

3. Protect stored cardholder data.
4. Encrypt transmission of cardholder data across open, public networks.

Maintain a vulnerability management program:

5. Use and regularly update anti-virus software.
6. Develop and maintain secure systems and applications.

Implement strong access control measures:

7. Restrict access to cardholder data by business need-to-know.
8. Assign a unique ID to each person with computer access.
9. Restrict physical access to cardholder data.

Regularly monitor and test networks:

10. Track and monitor all access to network resources and cardholder data.
11. Regularly test security systems and processes.

Maintain an information security policy

12. Maintain a policy that addresses information security.

If they haven't already done so, brokerage managers should work with their IT providers and perform a system audit using the PCI DSS as a checklist. Additional information and supporting documentation can be found at