Nowadays every week seems to bring tumult to the card industry. Just recently, the house judiciary committee passed H.R. 5546, the Credit Card Fair Fee Act of 2008, which called for negotiations of interchange fees between merchants and issuers. However, the bill, as it left committee, would provide for a panel to decide the decision should the negotiations stalemate. As of this writing, the bill still has a long way to go before it becomes law. The National Retail Foundation, who warned that any exorbitant fees would be burdensome to merchants who would pass this on to customers, supported the bill.
As security standards are gradually implemented for payment cards, as well as devices that the cards are used with, it may get easier for the industry to regulate itself. As technology becomes more secure and companies gradually adopt PCI standards, could the industry be accelerating the path to self-regulation?
"I believe that the payment security standards are going to lessen both the frequency and impact of data breaches," says Gene Hoffman, CEO of Vindicia, a software-as-a-service billing and fraud management service for online payment processing. "I think that the card associations' delegation of the standards-setting process to an outside entity will strengthen the quality and diversity (two necessary pre-conditions) of the security standards framework. The largest real impediments that remain are merchants buying into the process on a deeper level than simply treating the form as a check
box, and merchants understanding the level of rigor that some of the specifications actually require."
Some vendors in the industry feel that the demands of the security, help foster innovation and develop new technology.
"Across the board the industry recognizes the importance of continuing to invest in a secure and reliable payment environment," says Jennifer Schulz, Chief Operating Officer of Verifi, a firm
who works with merchants, acquirers and issuing banks to reduce risk and increase profitability. "This increased investment is spurring innovations across a variety of fronts from advances in
POS (point-of-sale) terminals to enhanced card plastics."
The level of security, however, must have some flexibility to confront any unseen challenges that may come in the way of safe operations. Some feel that enacting legislation to implement security has drawbacks because it might lack such flexibility.
"Payment security standards must be flexible to allow for the adoption and use of various security methods and mechanisms in an effort to keep up with ever changing threats posed by increasingly sophisticated criminals and criminal activities," says Joe Samuel, Senior Vice President of Public Policy and Community Relations at First Data. "However, enacting payment security standards into law only serves to create a one-size-fits-all approach to protecting payment data, which will ultimately put consumer data at greater risk of harm."
Overall, security standards are initiated by card associations, and ultimately implemented and used by those in the industry to create a secure environment.
"As long as adequate security standards are established and followed, companies appropriately budget for security and those responsible take their security duties seriously, reliability of security will be increased," Steven Schneider, a partner with the law firm, Mitchell Silberberg and Knupp. "The industry has a good chance of avoiding onerous government regulation, especially if further massive security breach situations are avoided. However, companies will have to avoid the temptation in these more difficult economic times to try to squeeze money from their security functions."
"The objective is not to keep government regulators out, but to protect all participants in the chain. This is good for everybody," says Mike Saintcross, who heads up federal sales for Agiliance. "In the case of PCI, the business imperatives are well in line with the standards and regulations. In such cases, industry self-regulation serves the cause of all the parties involved in the eco-system."
On the regulatory front, an agency that has not been involved in much oversight for the card industry has taken some bold moves to become a bit more involved. The IRS is asking processors to report
credit and debit payments made by and to merchants and card processors in an attempt to catch underreporting of tax revenue in the hopes it will ultimately curtail some $10 billion in unreported revenues per year. The Electronic Transaction Association (ETA) is avidly lobbying against this. What does this mean for the acquiring industry and others in the card industry?
"This has been a logical outgrowth of the IRS looking at credit card data on the consumer side to catch tax evasion," says Gene Hoffman. "The major problem with this concept is that it's going to add costs to the small businesses that can least afford those costs, while drowning the IRS in a pile of data that will be very hard to link back to the correct taxpayer. The major problem the IRS will have with this data is that it is revenue and not profit and as such doesn't tell the IRS very much about what taxes are actually due. Further to evade taxes using a merchant account to intentionally trying, is already creating a powerful audit trail at his acquirer - which can easily be audited based on any particular suspicion of evasion. As such, I doubt there are many businesses that generate any significant amount of unreported revenue."
There are many other reservations that those in the transaction industry have to such practice.
"First Data is and has been publicly opposed to the IRS plan and the associated congressional legislation to implement the IRS plan, for the past 2.5 years," says Joe Samuel of First Data. "As currently drafted, the plan will require the acquiring community to report inaccurate payment card transaction information on merchants to the agency. For example, the IRS is seeking gross payment card transaction data on merchants, but the plan does not take into account offsetting transactions, such as charge-backs, in addition to PIN debit POS cash back scenarios (consumer gets $40 cash back on top of their $20 purchase). These figures, among others, need to be netted out to give a true picture of a merchant's sales revenue via electronic payments. In addition, we believe this proposition will cost the payments industry millions to implement, while there is little evidence that the IRS will generate $10 billion in additional tax revenue. As for trade associations actively lobbying against this proposal, the Electronic Transaction Association, along with the American Bankers Association, the National Association of Manufactures, the U.S. Chamber of Commerce and others, are working to defeat this proposal and to protect the payments industry and small businesses."
Tax compliance is a challenge to the IRS, however, many agree that such an Act not only burdens the acquiring industry, but is also counterproductive.
"The IRS also might well end up with the opposite of what it is trying to accomplish as more people revert to paying in cash in order to avoid their credit and debit card transactions reported to the tax authorities," says Steven Schneider. "The IRS instead should step up its audits, which historically have been a very cost effective way to increase government revenues and tax compliance."
Michael Saintcross of Agilance, however, feels that it is not surprising that the IRS would want to leverage technology to secure what they view to be legitimate revenue streams that previously were hard to detect.
"Enabled by technology to track electronic transfer, the banking industry has been complying with the Currency and Foreign Transactions Reporting Act that requires financial institutions to keep records of cash purchases of negotiable instruments and file reports of cash transactions exceeding $10,000. Additionally, the reporting of deposits into personal accounts of amounts exceeding $10,000 has been in place for quite some time."
In tumultuous times, what does the crystal ball say for 2009 and the payment cards industry, with regard to legislation by states and federal governments? As is always the answer, it depends who
According to Joe Samuel of First Data, expect more regulation and insistence on better technology measures to control card issuing practices and insure privacy and security. "In 2009, we anticipate more legislative and regulatory activity on issues such as privacy, data security, identity theft, along with legislation addressing card issuing practices and emerging/nascent payment issues such as radio frequency identification applications, prohibitions on various stored value card practices, and more legislation related to interchange and the disclosure of network rules," says Samuel.
Just as the future of our industry is hard to discern, so is the best move that the acquiring side of the industry can make to be ready for the near future.
"It is easy to say but not so easy to do; buy on the dips, but don't try to catch a falling knife," says Steven Schneider. "More portfolios and some smaller companies should come up for sale in the next twelve months or so at attractive prices. This should be a decent period for experienced acquirers to add to their scale. Above a certain size of business, there is true scalability - transaction volume can increase by 100% with the associated additional expenses to handle that greater volume needing to increase by a much lower percentage rate. Accordingly, adding to scale, even by paying up a bit for it, often can make good business sense."