Attention-to-detail skills have become an even more prominent part of a job description for a merchant acquirer or independent sales organization dealing with the most recent demands of a complex payments industry.
It seems the list of tasks screaming for attention has grown dramatically in the past couple of years.
First, the Internal Revenue Service established requirements for reporting merchant credit card sales and merchant classification codes for the 2011 tax year, and acquirers must supply an accurate Tax Identification Number for each business in their database.
The major card brands also expect intensive monitoring of online merchants for potentially fraudulent and other illegal product sales. By carefully scrutinizing their merchants’ websites, acquirers possibly could avoid fines from the card brands when merchants sell illegal goods or a Federal Trade Commission hearing prompted by a disgruntled consumer sold a replica of an advertised item believed to be authentic.
Moreover, the card brands want third-party vendors such as website hosts or online shopping cart providers registered in their databases as being PCI-compliant. ISOs must identify and register those vendors to make it more difficult for cyber attacks that could put the card data of hundreds of customers from different businesses in jeopardy.
No wonder security experts and other consultants say they are working with many frustrated and concerned ISOs and acquirers.
Indeed, clients are “jumping through hoops and going nuts” because of all of the new due diligence, acquiring consultant Paul Martaus of Mountain Home, Ark.-based Martaus & Associates tells PaymentsSource.
“ISOs are stuck in the middle of this very convoluted industry,” Martaus says. “I’ve heard it said that this is the most complex simple business on earth.”
The IRS requirements make it seem as though the federal tax agency believes billions in unreported taxes stem from credit card transactions, Martaus suggests.
“If I were a retailer and someone said ‘Next year the IRS wants to take your credit card volume and calculate it for tax purposes,’ I’d probably stop taking credit card payments,” Martaus says.
The IRS now requires banks and merchant service providers to report annual the gross credit and debit card payments they process for their merchants. Acquirers would not have to report to the IRS if a merchant does not exceed 200 transactions or $20,000 in payments annually.
The agency announced in October it would not penalize acquirers working in “good faith” to comply if the IRS finds mistakes in documents related to tax identification numbers or in the placement of transaction amounts under the appropriate merchant classification codes. However, tax experts say that does not mean acquirers get a free pass on the regulations this year (
Brian Riley, senior research director and analyst with Needham, Mass.-based TowerGroup, tells PaymentsSource he sees “a lot of anxiety” in the industry regarding the IRS regulations. ISOs view the Jan. 1 1099-K form submission deadline in January as a difficult task, he adds. As part of the new code, acquirers must submit the form annually to report their merchant transaction data.
Acquirers and ISOs will work hard to determine the best way to handle all of the new tasks, but some will seek loopholes around the transaction thresholds, Riley suggests.
“I could see an ISO possibly changing a processor every quarter so as to stay at $19,999 or lower,” Riley says.
Gathering accurate tax identification numbers for each business creates headaches for acquirers because some merchants have different ones for different aspects of their business, especially when a U.S. company is operating in foreign markets, he adds.
As if facing the task of meeting new IRS rules is not enough to keep acquirers busy, they also face hearings with the Federal Trade Commission or fines from the card brands if an ISO they work with is unaware how their online merchants are conducting business.
“The whole Internet space is incredibly scary, with organized crime seeking the brightest technology professors and students to hack into credit card databases,” Martaus warns.
ISOs and acquirers who specialize in working with online merchants are aware of fraud tendencies and know whom to trust, he contends.
“It’s the dabblers [with online merchants as clients] who get in trouble and don’t know what they are doing,” Martaus says.
Robert Caldwell, founding partner of Bellevue, Wash.-based G2 Web Services, a merchant compliance monitoring and e-commerce risk management provider, informed attendees of an Oct. 27 Electronic Transactions Association compliance day event in Chicago of a new portal-based reporting system to help acquirers expose fraudulent merchants (
The International Anti-Counterfeiting Coalition, a Washington, D.C.-based nonprofit organization, helped the major card brands establish the system for acquirers to report intellectual property rights violations and to attempt to stop “rogue websites” from selling counterfeit goods online, Caldwell tells PaymentsSource.
After confirming the data, the coalition would pass the information on to the card brand, which would identify the merchant and website and direct the acquirer to take action, Caldwell explains.
“This doesn’t establish new rules per se, but it is a better process,” Caldwell contends.
The process does not alleviate the acquirer from having to monitor an online merchant’s website, but it provides “clear support” for the acquirer when going to the merchant to terminate its business, he says.
“The bad guys change over time, and six weeks into their business they can change what they are selling, and the acquirers can’t always see it when one of their merchants is changing,” Caldwell says.
Third-party vendors present a different challenge because if they experience a security breach, every merchant they service could be endangered, Caldwell says.
Card brands push acquirers to identify third-party vendors and register them with the card brand to be included on a list of service providers that comply with the Payment Card Industry Data Security Standard, Caldwell adds.
“There is a high level of pressure for the ISO to monitor what the merchant is doing and understanding what the third-party vendor is doing,” Caldwell says.
The changing payments landscape is not lost upon the PCI Security Standards Council, which establishes standards and recommendations for data-security standards compliance.
“The flood (of new security risks to monitor) keeps moving and shifting, and the PCI council is seeing a lot of new areas that need to be looked into,” Bob Russo, council general manager, tells PaymentsSource.
The more closely the council looks at technology issues, the more topics it reveals that need attention, Russo contends.
Council special interest groups, which focus on specific security topics to submit recommendations for future standards, will study cloud computing, e-commerce security and best practices for risk management in 2012, illustrating the ongoing need for education regarding new security risks, Russo says (
Whether it is education or simply an extra set of eyes, ISOs and acquirers are likely to welcome any help they can get in sorting out all of the details in their expanded due diligence.
What do you think about this? Send us your feedback.
