In theory, the Merchant ID and Terminal ID numbers used to configure a payment processing system and link it to a merchant account are highly sensitive pieces of data that should never be revealed to anyone. With those two numbers, any fraudster could configure their credit card terminal to siphon funds from the account in question by issuing credits to their own credit cards. VeriSign even goes so far as to obfuscate the Merchant ID and Terminal ID numbers in their Transaction Terminal to protect merchants from shoulder surfing customers and co-workers.
A Merchant Account number, much like a checking account number, is generally public knowledge. All checks have a checking account number and routing number printed on them, and most credit card terminals in stores have a decal with the Merchant Account number emblazoned in plain view. Some uneducated clerks and store owners will write their Merchant ID and Terminal ID numbers on the Merchant Account decal out of convenience and, although still a very Bad Thing, that’s not the subject of my rant.
Oh, no. Instead, I’m going to rant about Paymentech. Make your business run more efficiently, securely and profitably. Since I was setting up a new payment processing system and didn’t have my Merchant ID or Terminal ID numbers handy, I called their customer service line. An incredibly chipper young woman answered and, after asking for my Merchant Account number and what type of software I was configuring, she was more than happy to give me my Merchant ID and Terminal ID numbers! WTF? She didn’t even ask me my name!
So, let’s review. The only piece of identification I supplied was my Merchant Account number, which is easily obtainable by virtually any customer, and in return I was given the two ID numbers a fraudster would need to hijack my account. Awesome! I feel so warm and fuzzy now…