By Jay Karen | November 1, 2020
When news hit my desk a couple of weeks ago that some golf courses fell victim to a scam that involved a merchant processor, it didn’t surprise me to see the three letters “ETS” in the email. Perhaps it was no coincidence that my column in October referenced my greatest regret over the past five years being our unsuccessful pursuit of justice after ETS levied unauthorized and unexplained charges upon thousands of golf courses in 2014, adding up to what we believe was millions of dollars. Even if you are no customer of ETS, I encourage you to continue reading. There is a lesson in here for any business operator. As a reminder, ETS was purchased by Elavon in 2018, and Elavon is a subsidiary of US Bank.
Here is how the scam works, and why golf courses are actually paying Elavon and not the scammers. Many golf courses have online stores, which facilitate sales of gift cards and other non-tee-time related products. This is a separate payment portal than the booking engine. Scammers somewhere in the universe utilize “bots” that, in rapid-fire succession, enter random credit card numbers into the online payment portal. The great majority of these numbers are bad numbers and result in failed charge attempts. The purpose of this repeating, random exercise is to hit on an occasional working number. The working numbers are then harvested for other, presumably nefarious uses. But, each time a failed attempt is made, Elavon charges the golf course around ten cents. Multiply ten cents by two hundred thousand failed transactions, and you’re quickly at $20,000 in fees. In one case, Elavon attempted to pull $164,000 in “fees” from one golf course! The failure of the payment portal to detect that a scam was happening created a situation where courses hit by this scam didn't even know about this until they received their monthly bank statements and saw the fees had already been withdrawn by US Bank.
As our readers know, small businesses give merchant processors direct access to their bank accounts, because the assumption is that for every $3 the merchant processor is owed, the merchant processor will deposit $97 into the bank account. No operator expects it to work the other way around! Not only was this a breach of ETS’s old technology, it was also a breach of trust. The scammers are getting away with harvesting innocent people’s credit card numbers, and, unchecked, Elavon could have profited BIG TIME off the backs of golf courses and from the breach in their technology.
Since being alerted to this issue, NGCOA engaged with all parties who had participated in processing the credit card transactions and withdrew funds from our golf courses’ bank account. This includes representatives from Elavon, US Bank and VISA Corp in an effort to identify the parties responsible for refunding our golf courses. Elavon has indicated, as the time of writing this, that they are going to provide refunds to the affected golf courses. We are continuing to work with all of our affected courses to ensure they receive the same commitment and their funds are fully returned.
Golf course operators: please do not fall asleep at the wheel when it comes to vendors that literally have direct access to your bank accounts. If there is fertile territory for scamming and fraudulent activity, it will be with those who have access to your money.
For those golf courses and software companies in our industry still working with ETS (now Elavon), I’d love to hear from you. I’d love to know why you do, when the industry has no shortage of worthy competition.
Caveat emptor, course operators!
Disclaimer: First American Payment Systems is a Smart Buy Supplier of NGCOA. If any of our characterization of the happenings mentioned above turn out to be untrue or misleading, we will gladly publish a retraction.