Page 40 - GS161102
P. 40
Education
Legal ease: information, that information (if the merchant is PCI
compliant) goes directly from your browser to a secure
Gateways rising server that is likely nowhere near the merchant.
By Adam Atlas The information is then routed by the gateway to the
Attorney at Law payment networks for authorization and other messaging
related to the transaction. Gateways have cultivated
G ateways carry payment transaction data specific, deep capabilities related to this limited aspect of
between cardholders, merchants, POS devices, payments – data storage and communication.
processors, banks and payment networks.
Until recently, gateways were perceived as the Gateway agreements – ISO
dull plumbing of payment processing, doing the drudgery
of maintaining the "pipes" through which payment trans- Traditionally, ISOs contract with gateways for the gateway
action information travels. to provide data transport between merchants, banks and
Today, gateway developers and providers are re-imagining payment networks for the benefit of merchants. These
gateways as potentially central and even controlling contracts take various forms.
elements of the payment services network. The purpose of
this article is to discuss some legal issues that are arising In some contracts, ISOs pay gateways to deliver service to
due to the evolving role of gateways. merchants. In others, gateways pay ISOs commissions for
What does a gateway do? revenues they earn from merchants for their services. For
Payment Card Industry security standards (PCI), better or for worse, gateways often try to limit their liability
which apply throughout the card payment system, are with respect to their services. To be specific, gateways
demanding. They prescribe certain levels of technical often say to ISOs that if something goes terribly wrong
security compliance that entities must meet if they wish – for example, a data breach of the gateway service – the
to store cardholder data. PCI is a type of industry self- liability of the gateway is still limited to some multiple of
regulation that makes sense given how much sensitive contract fees or a fixed dollar amount.
financial information is flying around between people
and businesses. This is in contrast to the potentially huge liabilities of
Most merchants lack the sophistication to build PCI- merchants under merchant agreements if they, or their
compliant data collection, storage and transmission platform suppliers, incur a breach. When ISOs review
systems. Enter gateways. When you shop at a typical their gateway supplier agreements, they should take a
smaller online merchant and enter your credit card close look at the limitation of liability clauses.
These clauses are central to ISO-gateway relationships
and should dovetail with terms merchants have accepted.
In other words, if a gateway is not promising much in
terms of indemnification for wrongdoing, the ISO should
also not promise merchants much and should also limit
its liability.
Gateway agreements – merchant
Here is where gateway contracting gets interesting. A
surprising number of merchants are procuring gateway
services but have no signed documents explaining the
service terms and who is supplying the services. In some
instances, an ISO contracts with a gateway to supply
gateway services to its merchants, and the gateway does
provide that service. Merchants integrate and are able
to process transactions. However, what is sometimes
forgotten is presenting merchants with terms by which
they are procuring gateway services.
ISOs have two options here. One is to contract with
merchants themselves and make promises as to delivering
gateway services – with the real gateway being the fulfiller
in the background. The problem with this structure is that
if the gateway fails, the merchant sues the ISO because it
has no contact with the gateway.
40
