In a perfect world, acquirers can avoid Association issues, concerns or
liabilities if they follow the rules, treat merchants fairly and manage
their sales forces properly. In the payment world, however, acquirers
are ultimately responsible for anything and everything concerning their
merchants. If a compliance issue does arise, the Associations will
look directly to the member, the sponsoring bank. In turn, that bank
will look to the ISO (if there is one) in the chain to manage the
issues, pay any fines and take full responsibility. An acquirer’s
contract may provide a way to pass liability downstream to a merchant,
sales representative, value-added reseller, processor or strategic
partner, but it is ultimately the acquirer’s liability if anything
happens with a merchant.
Numerous acquirers have attempted to shield themselves from the actions
of their sales channel, claiming that they cannot control the
independent parties. The acquirer is completely responsible for its
sales force or referral partners, even if they are independent
contractors or completely separate entities. These salespeople or
organizations are working with merchants that sign agreements with the
acquirer, therefore, in the minds of the Associations and the members,
the acquirer is still responsible. Acquirers often try to protect
themselves by passing the responsibility of compliance and fines down
to the sales channel, but in many cases the sales partner does not have
extensive knowledge of the rules and best practices. In most cases,
the sales partner does not even have the funds available to pay the
fines assessed. At all times, it is the acquirer’s responsibility for
marketing, product and certification compliance.
Value-added resellers (VARs) such as integrated point-of-sale providers
may pose an even greater threat to acquirers. POS integrators place
systems in retail, service and internet merchants around the country.
These integrators certify their systems to processors but the acquirers
have the liability for the data on those systems, not the processors.
As a result, it is possible to have a POS system that is certified on a
processor and not “compliant” since the processor does not have direct
liability. Similarly, third-party data storage entities, loyalty
companies, risk organizations and the like pose an identical risk. The
acquirer is fully liable for the data these organizations house and
manage. It is the acquirer’s responsibility to make sure the VARs,
gateways, integrated systems and other partners that the sales force is
offering and merchants are using are compliant. The Associations and
members will always look to the acquirer for the liability.
Acquirers must also deal with the compliance risks posed by merchants.
While they are well aware of the liability attached to merchant fraud,
acquirers often forget about the compliance liability attached to the
merchants themselves. The merchant contract usually protects the
acquirer from these liabilities, but that only works if the merchant is
still processing with the acquirer or the acquirer is able to collect
the fines. There have been numerous instances where merchants have
utilized non-compliant POS systems or gateways, or mismanaged data -
opening up the acquirer to liabilities. It is the acquirer’s
responsibility to educate his merchants and keep them aware of best
practices.
As acquirers, it is not good enough to simply follow the rules. We
must inform, monitor and manage all of our partners. We must make sure
our sales partners are marketing appropriately and selling compliant
products. We must make sure the VAR products and systems we market and
utilize are safe. We must make sure our merchants are well-informed.
With all this in place, the payment system will become stronger through
education and direction, creating healthier companies and more
protected organizations.
|
