Sales agents questioning the revenue-share payouts from their ISOs often ponder the fine line between complaining and complaining too much. The question may be important, however, such as whether the ISO shares revenue when an agent helps bring merchants into compliance with the Payment Card Industry Data Security Standard.
Some agent agreements do not address compliance-program revenue sharing, says Paul Rianda, attorney at Los Angeles-based Rianda Law. In other agreements, revenue-share programs are listed, but not for merchant-compliance programs, he says.
The dilemma for agents, and for ISOs and acquirers that write the contracts, is the potential for a dispute over money to sour the relationship.
In some instances, a few agents have told Rianda the commissions on compliance programs have been at lower percentages than those they receive for other programs with the same ISOs. A similiar situation developed about 10 years ago, when charging merchants annual fees surfaced, he says.
For example, an ISO may split a merchant-paid fee in half with the agent for many programs but may pay only 30% on a compliance program, asserting it could do so because the fee is not included in a contract, Rianda says.
Agents typically wonder why and what they can do about that. Unfortunately for them, the answer is not much, at least not without changing the contract or reaching an amicable conclusion.
"For the most part, smaller agents don't have much leverage," Rianda tells ISO&Agent, noting many agents fear questioning will get them nowhere. "It's always a fine line between complaining and complaining too much."
FIXING THE PRICE
Some ISOs sidestep the revenue-share issue for compliance programs by charging only enough to cover the cost of the program.
"We priced our PCI program at cost for the merchant," says Steve Cartwright, chief financial officer at American Payment Systems LLC, a Mesa, Ariz.-based ISO. "We don't share revenue because there isn't any."
Now 16 months into the compliance program, the ISO has learned some lessons, Cartwright says. Specifically, American Payments Systems adjusted the pricing.
In the first year, the ISO charged merchants $7.95 a month. Now American Payment Systems charges merchants $50 a year for services provided by ControlScan Inc., an Alpharetta, Ga.-based technology security-firm.
"What we found is that our merchants were getting hit up by other processors and agents ... saying that American Payment Systems is going to charge a monthly fee, and 'we don't have that,' and that was continually in our merchant's face,'" Cartwright says. Cartwright says thankfully he cannot attribute any attrition to that competitive argument.
Most of American Payment Systems' approximately 1,100 merchants use the service. The ISO asks those that do not to submit their "attestation" of compliance, which declares that their point-of-sale systems have been audited to ensure they comply with the PCI Data Security Standard.
Ideally, sales agents will emphasize American Payment Systems' compliance-program cost to their advantage by telling merchants the ISO sees it as a service and not as a revenue generator, Cartwright says.
Similarly, CardReady, a Los Angeles-based ISO, charges a small fee-$4.95 per month-for its compliance program, says Kevin Hoehn, CardReady president.
"I have a big belief this shouldn't be a revenue opportunity for the industry," Hoehn tells ISO&Agent.
CardReady bases its approach to share this small amount of money with agents on the willingness of the agent to help the merchant, he says.
"If the agent is willing to be trained and take those (compliance-related) calls, we have no problem sharing what modest revenue there is because they are truly doing the work," Hoehn says.
Many agents, however, prefer not to spend as much as an hour on the phone with merchants discussing compliance matters because they prefer to make sales calls instead, he says.
"In those cases where they have (made calls), they're very happy to do it," Hoehn says. On average, CardReady offers a couple of hours of compliance- related training each week, he notes.
MAKING AN ASSUMPTION
Regardless of how involved an agent is in participating in a compliance program, most will have questions about the possibility of sharing revenue, just as the agent would for similar programs offered by an ISO to merchants.
One way to alleviate some of the anxiety about misallocated revenue share is to talk about it, says Adam Atlas, an attorney at Montreal-based Adam Atlas Attorney at Law.
"These additional services, and the fees that go along with them-PCI is just one example-are very important these days" because there is always less and less profit margin on core credit and debit card transaction processing, Atlas says.
If written carefully, agent agreements could eliminate the confusion over revenue sharing, he says.
"Some agreements will say the agent is entitled to a share of all revenue earned from merchants," Atlas says. "Other agreements will say the agent is entitled to share the revenue on the following list of products and services."
Some agreements might allow changes to adapt to products and services launched after the contract's inception date, while others expressly forbid that, Atlas says.
Atlas also has heard of instances in which an agent expected a share of fees paid by a merchant but never received it. "It's a situation of there's not enough money to make a big fight about it, but at the same time it puts into jeopardy the trusting relationship that exists between the parties," he says.
Changing existing terms may constitute a "material change" and require a rewriting of the contract, Atlas says. Some contracts do not allow material changes, he says.
One example of a material change would involve changing a merchant's early-termination fee from what was in the merchant agreement, Atlas says. Making such a change after the fact may not be wise, he says.
"The merchant is obliged to pay the fees set out in the agreement, but if the processor can just change the fees in a material way, then what's the point of a merchant agreement?" Atlas says.
Many merchant agreements do not always permit parties to tack on additional fees at their whim, he says.
Similarly, an agent agreement that does not spell out how each revenue-share program should work may not automatically include programs that start after the contract has been signed, Atlas says.
"Agents should take a moment to see what is in the basket of fees they're sharing in," he says. "It's either an 'everything' basket or a limited list. The preference is an all-in basket."
By signing an inclusive contract, agents may not encounter the hurdle later on of adding in new programs. "It's hard to negotiate a clause that would enable future programs and revenue sharing," Atlas says.
A TRUE UNDERSTANDING
Revenue share or not, agents may find it simpler to talk to merchants about compliance programs, given the permeation of the programs and the tangible services they offer, observers say.
Many PCI-compliance programs that ISOs and acquirers offer their merchants are beginning to prove their value, says Deana Rich, president of Van Nuys, Calif.-based Rich Consulting.
The programs emerged within the past few years as acquirers received pressure from the card brands to increase PCI data-security compliance among smaller merchants.
Acquirers typically assess merchants a monthly or annual fee for the programs, and merchants receive a variety of services, including scans to identify potential security holes and assistance in completing the self-assessment questionnaires the card brands require.
Compliance-program fees vary, and some ISOs and acquirers are not charging merchants for these services.
"About a year and a half ago, people were ignoring it," Rich says of industry reaction to compliance programs. "But they charged for them anyway."
That has changed. Many payment companies have set up in-house procedures to ensure merchants receive the service they pay for, says Rich, who advises payment companies about risk and security. The payment-security companies contracted to provide the compliance-evaluation service are reaching out to merchants through a variety of ways, such as by calling them. "[Merchants] are paying a fee, but they are getting a service," she says.
Rich surmises that ISOs have become aware of the necessity of ensuring their merchants comply with the PCI data- security measures, especially if merchants question what the fees are for.
"ISOs really understand there are repercussions if they don't provide something [worthwhile] to their merchants," Rich tells ISO&Agent.
DRIVE AN ACTION
Tangible compliance services are fundamental to American Payment Systems' and CardReady's programs. Both rely on third-party companies to provide the actual technical service but reserve the important merchant relationship for themselves.
About 50% of American Payment Systems merchants are PCI compliant, Cartwright says. The ISO is working to bring the other half into compliance, he says.
ControlScan, American Payment Systems' security-services vendor, initially used the ISO's merchant list to make outbound calls alerting merchants about the program, Cartwright says. Outbound calls stopped when 50% of the merchants reached compliance.
"For the most part, it's on [the merchants'] shoulders," Cartwright says of compliance efforts. Despite aspirations for a higher percentage of compliance and knowing their merchants, American Payment Systems faced a straightforward issue for many merchants, he says. "PCI doesn't seem to be top of mind for them," Cartwright says.
The percentage of merchants that do not read e-mails from the ISO or that have logged on to the company's compliance website is very close to that of noncompliant merchants, Cartwright says.
"We threatened noncompliance fees but never acted on them," he says. "It doesn't drive any action."
American Payment Systems is trying to increase compliance, especially with new merchants.
American Payment Systems includes the compliance program as part of the sales process, Cartwright says. The welcome kit has information on the program.
Once merchants are boarded-a step for entering an approved merchant's account information so an acquirers may process its transactions-American Payment Systems forwards the information to ControlScan, which sends the merchant the credentials to log on to the ISO's compliance website, Cartwright says.
The ISO automatically includes merchants in the program. "Merchants opt out after the fact if they decide to do their compliance on their own," Cartwright says.
Ideally, merchants choose to stay in the ControlScan program, Cartwright says. ControlScan easily can generate periodic compliance reports that American Payment Systems can then forward to its processor, Atlanta-based First Data Corp., he says, noting American Payment Systems must format reports from merchants using other vendors.
CardReady handles most functions in-house, but not the technical aspects, Hoehn says.
"We do all the support, education, and questions and answers in house," Hoehn says. "It's one of those things when we talk to customers that we have to be able to control the messaging."
Before January, CardReady used a vendor other than Plano, Texas-based Data Delivery Services Inc., Hoehn says. CardReady switched because of cost and Data Delivery Services' ability to offer concrete services to merchants, he says.
It was important for CardReady to find a service that would enable the ISO to control the customer interaction. "It's one of the touch points of the relationship," Hoehn says.
Many companies talk about customer service, but outsourcing their compliance services can be a disservice to the merchant because it places a confusing subject into a third-party's hands, he says.
Additionally, controlling the customer interaction in-house gives CardReady a "solid reason" to contact the merchant regarding something that has nothing to do with sales, Hoehn says.
As at American Payment Solutions, CardReady merchants automatically are enrolled in the compliance program. New merchants receive a call from the ISO's technical team to ensure any questions they have are answered, Hoehn says.
CardReady gives new merchants six months to gain compliance before it begins assessing a refundable $19-a-month fee, Hoehn says. "As soon as they are compliant, we refund that fee," he says. "Frankly, I just want them to become compliant. We make money moving data and transactions. We don't make money on PCI compliance."
ISOs and agents may find it simpler to talk to merchants about PCI compliance because awareness is increasing, especially as breaches continue to capture mass-media interest, suggest some observers.
"For a long time, all one ever heard about was restaurants getting hit all of the time," Rich says. "Now we're hearing about hotels."
In an analysis of more than 200 global data breaches investigated in 2009 by Trustwave, a Chicago-based security company, the hospitality industry, comprising hotels and similar businesses, accounted for 38% of them, up from less than 5% in 2008.
"It continues to happen, where the bad buys find the gaps and we close them and a new one is found," Rich says. Hoehn has a certain appreciation for the pervasiveness of card data-breach coverage in the consumer media that makes compliance less of a foreign subject to discuss with merchants.
"We try our best to be upfront with merchants about the requirements and because we're fairly reasonable in our cost structure, it goes over better," he says. He likens the discussion to spending time annually with one's insurance agent to ensure adequate coverage is in place.
Just as agents and ISOs pay careful attention to addressing merchant questions about fees outside of credit and debit-transaction processing, they should ensure they address related issues.
"ISOs are going to have to get creative about how they make money from merchants," says Atlas. "ISOs and agents should work together, not to the exclusion of the other. This is where the gravy is for the future of our industry. The margins on the core services are becoming so narrow it's hard to earn a living off of them."
Revenue from compliance programs may not be much-if they are even available-to agents, but failing to address them and other revenue-sharing programs in the agent agreement could pose problems later on.
