CHICAGO–Merchant acquirers, independent sales organizations and payment processors should become better “payment consultants” for their merchant clients and provide as much advice as possible regarding data security.
But they also must be aggressive investigators to ensure their card-not-present merchants are legitimate, industry fraud experts say.
Without that approach, players in the payment chain could find themselves facing hefty fines from the card brands to cover merchant breaches or losing money reserves when the Federal Trade Commission rules in favor of consumers wronged by a fraudulent merchant, discussion panelists informed industry executives who gathered here Oct. 27 for the Electronic Transactions Association annual leadership forum.
The industry has to do an even better job of self-regulating aspects of data security and fraud, or federal regulators will feel compelled to get involved, Seana Pitt, vice president of merchant policy and data quality for American Express Co., said during the panel discussion.
“We are all part of this industry and we need to lock arms to do all we can [to prevent breaches and fraud] and leave the government out of our business,” she said. “We are only as strong as our weakest link in the chain.”
The card brands, acquirers and processors should be “policemen and watchdogs” for merchants and consumers with a heightened level of micro-monitoring when it comes to data security and fraud potential, Pitt said.
Visa Inc. created its own government relations team to maintain regular contact with regulators and legislators to help federal lawmakers understand what the industry continues to do for fraud protection, Diana Greenhaw, Visa senior business leader, said during the discussion.
In addition, Visa provides an acquirer risk program to help acquirers understand common fraudulent activities, with the goal of making it easier for them to manage risk in their merchant portfolios, Greenhaw added.
“Criminals are very smart and very quick to take advantage of any vulnerability,” she said.
Protecting against a security breach in a merchant payment system garners much attention in the industry, but uncovering a fraudulent online or card-not-present merchant presents another daunting challenge for acquirers and processors, the experts agreed.
To keep the FTC from becoming involved with a consumer-protection case related to a fraudulent merchant in an acquirer’s database, the acquirer and processor should review the merchant’s charge-back, advertising and corporate history before accepting them as a client, said panelist Jeff Knowles, a partner at Baltimore-based business law firm Venable LLP and an attorney who has represented many acquirers at FTC hearings.
“If the FTC closes down a certain merchant, [the processor and acquirer] lose, and that’s a tough position to deal with,” he said.
Knowles speculated the FTC might better serve the payments industry by sending warning letters to processors if it determines a specific merchant’s advertising could be fraudulent.
But panelist Karen Hobbs, senior attorney in the FTC’s division of marketing practices, said warning letters largely are ineffective because they force the questionable merchant to “go underground and eventually pop up again under another name.”
When the FTC takes a processor’s money reserves to pay back a wronged consumer, it presents one of the more troubling aspects of failing to root out fraudulent online merchants, Robert Cortopassi, senior vice president of Pleasant Grove, Utah-based Accelerated Payment Technologies Inc. and a member of ETA risk and fraud committee, told PaymentsSource after listening to the presenters.
“I am not opposed to self-regulation of our industry. We’ve avoided a lot of regulatory oversight because the PCI Security Standards Council has been doing a great job, but the FTC is saying we need to get similar programs in place to detect fraudulent merchants,” Cortopassi said.
“That’s pretty tough because you can’t take a deep dive into investigating thousands of merchants like you would do after being notified of a problem with one,” Cortopassi added. “It’s an issue for processors and acquirers because you keep money reserves so funds will be available, and that is the money the FTC goes after to pay back consumers.”
If money reaches a processor through transactions or fees from a fraudulent merchant, the FTC views that money as not being obtained lawfully, thus it rightfully belongs to the consumer even if portions of it have been set aside in a processor’s reserve funds, Hobbs said.
That is not how ISOs generally view their reserve funds, Cortopassi said.
“Those funds are available as part of our overall risk portfolio, not just for instances of fraud, because they can be used as a safety net if a business goes belly-up,” Cortopassi said. “But if the FTC targets those reserves in litigation, that’s a significant factor for us.”
What do you think about this? Send us your feedback.
