Payment Facilitators and Risk: How the Market Views Submerchants

Chris Bucolo, Director, Market Strategy, for ControlScan     

There is plenty of evidence that the payment facilitator market will grow significantly over the next few years. There are multiple drivers for this growth, including the belief that the increased complexity of compliance/security requirements for merchants will generate more interest in this payments model.

Also, card brands like MasterCard expect card acceptance activity to grow rapidly through new verticals, including those involving micro-merchants, which lends itself well to the payment facilitator model.

Although there is general agreement that the growth potential is large, there is a divergent set of opinions on how risky the model is, and how risk needs to be approached. My informal research and survey of people in the industry underscored this point:

• From a card brand perspective, there is no requirement to report on the PCI validation status of submerchants.
• Some ISOs/acquirers stop there and rely exclusively on the payment facilitator from a risk perspective. Submerchants are required to sign a type of merchant agreement that indicates that they will maintain PCI compliance, although there is little evidence of any sort of enforcement. Many people are surprised to learn that even the early disruptors like Square have the requirement to maintain PCI compliance in their merchant agreements.
• Many people have also expressed that they are very worried about the risks represented by merchants and third party service providers in the payment facilitator model.

Is this due just to fear of the unknown? Not in my view. Experienced risk management people are very aware that new entrants into this space are really technology/software companies who are in the early stages of learning about payments, and may not yet have a clear understanding about the extent of the risk.

One recent event highlights the underlying risk in the payment facilitator model:

In the article, Unregistered Third Party Regpack’s Exposure of 324,000 Transactions Proves A Cautionary Tale For PFs, the author underscored the need to understand and manage risks within the payment facilitator model: “… if any sub-merchant or service providers could conceivably get access to card data, the PF must ensure they are certified and registered.”

Many risk management people agree that merchants and service providers need to be compliant, but it is a big and difficult task to manage. For example, there is the challenge of identifying submerchants that have increased processing volume and must be shifted to “regular” merchant status. Some players are getting submerchants to sign standard merchant agreements upfront, to make sure the necessary provisions are in place if and when they exceed the volume thresholds.

So let’s look at the two main pieces separately:

The Service Provider Side:

Every day we see evidence that processors and acquirers are informing aggregators they must now register as payment facilitators in order to continue processing.  Beyond that, all payment facilitators are being told that they must become PCI Level 1 compliant via a QSA assessment.

Payment facilitators must also be diligent in their vetting of other third parties involved in the ecosystem. This is an important issue because, even if the third party is not directly processing or storing cardholder data, they may have remote access into the environment, and can impact the security of that data.

The Submerchant Side:

Many processors and payment facilitators like the idea of submerchants going through PCI compliance as a standard practice. However, they have concerns about the process being too complex or time-consuming. Considering all the challenges we have all seen with level 4 merchants becoming compliant, this is a legitimate concern.

Payment facilitators tend to look for a submerchant PCI compliance process that makes SAQ selection as mistake-proof as possible, and involves a streamlined SAQ process and lots of patient support when needed.

There is also the likelihood that ISOs/acquirers will want separate reporting of payment facilitator activity. This would certainly allow them to segregate their portfolios and take different, targeted approaches to encouraging and enforcing compliance if they so choose.

Final thoughts to take away: After many years in payments and the last 10 years in PCI compliance and security, I have learned that what we do not know and cannot see is often what ends up hurting us.

• Many U.S. breaches today involve third-party service providers with remote access into merchant environments. These companies are often not even on your radar screen.
• The human factor is becoming a bigger issue in breaches. People and their behavior can be unpredictable, and tricking people into giving up credentials is commonplace.
• As EMV becomes pervasive in the U.S., there is debate and curiosity about what the next big breach trend will be. Where there is confusion about who is accountable for which security aspects, there is increased likelihood for vulnerability.

The bottom line is that a prudent risk strategy involves holding all parties responsible for compliance and security: payment facilitators, their submerchants, and any service providers. On both the submerchant and service provider sides, you need to strike a balance between the important security protections and making security understandable and affordable.