By Stuart Lindsay, Principal, Edgehill Golf Advisors
(As seen in Nov. 2020's Pellucid Perspective)
In mid-October, we were made aware of problems for some courses using the Elavon/ETS credit card processing platform for their online stores. Harvey Silverman sent me a note saying “this is right up your alley.” As some of you know, I have written extensively about the murky business of credit card processing many times over the years. As we investigated the situation, we saw tremendous efforts made by both the NGCOA and a well-respected web and e-commerce hosting company in dealing with the situation and getting resolution for the affected courses.
Pellucid was also impacted tangentially by these attacks – we use the same web and e-commerce company to host our website and Elavon/ETS for online payments. We weren’t affected by the “hack”, but our online store was shut down as part the company’s proactive steps to prevent the hackers from spreading to more courses. Ultimately, we did switch processors as part of getting our store back up and running.
To summarize the “hack”, here is a statement from Ronnie Miles, Director of Advocacy for the NGCOA in an October 29th posting to the “Accelerate” community within NGCOA's membership:
“As NGCOA recently reported, our industry was recently hit by a credit card scam. To date, this scam has resulted in more than $428,000.00 in erroneous charges to at least 15 golf courses.
Since being alerted to this issue, NGCOA engaged with all parties who had participated in processing the credit card transactions and withdrew funds from our golf courses' bank account. This includes representatives from Elavon, U.S. Bank, which was the acquirer for Elavon/ETS credit card transactions, and VISA Corp. in an effort to identify the parties responsible for refunding our golf courses.
Elavon indicates that they are going to provide refunds to the affected golf courses. As of this date, all requested refunds have been approved. We are continuing to work with all of our affected courses to ensure they receive the same commitment and their funds are fully returned.”
In addition, we spoke with Jay Karen, CEO of the NGCOA, the CEO of the webhosting company and Jay Eccleton of The Emerald in St. Johns, MI. Collectively, they provided copies of correspondence with the various parties and additional background. A couple other affected courses were contacted, but declined comment; with one indicating that they were worried it would affect their ongoing relationship with Elavon/ETS.
This brings up one of the primary issues with credit card processing – your merchant account is a very important part of your business and the entities that control the process have a tremendous amount of leverage in terms of rules, regulations and their power to dictate the availability of their merchant services. As you will see, they can also be less than transparent and unresponsive to problems – even if it is a problem on their own platforms.
According to Jay Eccleton, the problems appeared over Labor Day weekend in early September. Ultimately, about $13,000 was deducted from their bank account by Elavon/ETS. He contacted them and at least was able to determine that the charges were traced to activity at his online store. He contacted the hosting company, who in turn also contacted Elavon/ETS. Eccleton was told the charges were valid and the hosting company was told it was a security issue on their platform.
This initial stonewall from Elavon/ETS prompted Eccleton and the hosting company to contact the NGCOA. The hosting company was also able to screen capture the fraudulent activity and determine that it was a breach of the secure payment process on the ETS platform after the “customer” left the website for checkout. There was no vulnerability on the hosted websites.
It was also determined that Elavon/ETS did not provide “velocity protection” that is a common security feature for many online stores. This would have prevented the millions of “hits” required to add up to the $428K of fraudulent charges. It gets technical, but that “hack” was based on transaction charges of only 8 cents each that are charged even when a credit card is “declined”. It’s also interesting that the hackers never got any money – they were “testing” credit card numbers and Elavon/ETS actually got to keep the resulting extra revenue.
With the situation “resolved” and refunds approved, there are two major points to be made:
- Without the advocacy provided by Jay Karen at the NGCOA and his contacting of the highest echelons of Elavon, US Bank and VISA management, this resolution would have been much more difficult. Each of the affected courses would have had to fight the battle alone – without the benefit of the NGCOA’s position as a respected national organization.
- The hosting company stepped up as well in providing their customers with the technical information necessary to prove the responsibility of Elavon/ETS that finally prompted the refunds.
For any of our readers that are not members of the NGCOA, this is a great example of the benefits and advocacy that they provide. For those that are, it’s additional validation for the value membership brings. For those of us in the industry that don’t operate golf courses, it’s a reason to support the NGCOA in any way we can.
This situation also points out the need to pay closer attention to your credit processing. At a time when processing costs are rising due to “reward” cards and increased volumes of online payments, new and more secure options are available.
Stuart Lindsay is the Principal at Edgehill Golf Advisors and a Contributing Editor to Pellucid Perspective