Page 41 - GS161102
P. 41

Education

The second option for ISOs is to have the gateway contract  ISOs should reflect on the ever-more integrated matrix of
directly with the merchant so that if the gateway fails,    gateways and make sure transactions of a given merchant
the merchant can sue the gateway and, perhaps, avoid        intended for a given bank actually go to that bank. The
bringing the ISO into the dispute. There remains risk for   ISO has the opportunity to stop excessively creative (or
the ISO, but it is reduced somewhat by the real provider    outright illegal) processing activity that has become very
(the gateway) making direct promises to the merchant.       easy.

Gateway-merchant agreements, like gateway-ISO It's a cliché for a lawyer to recommend reading contracts

agreements, raise the key question of the liability of the closely. However, with the increasing risk and cost of

gateway for a data breach. Gateways prefer to limit this data breach, a close read of gateway terms may yield a

liability – even if the merchant is left facing enormous surprisingly large protective dividend.

fines from payment networks for PCI non-compliance or

breaches.                                                   In publishing The Green Sheet, neither the author nor the publisher are

Data breach liability                                       engaged in rendering legal, accounting, or other professional services. If

                                                            legal advice or other expert assistance is required, the services of a com-

It's safe to say that most participants in merchant acquiring petent professional should be sought. For further information on this
these days have sorted out the issue of chargeback and article, please contact Adam Atlas, Attorney at Law, by email at atlas@
fraud liability. Most agreements where that is an issue
have some language allocating some or all of                adamatlas.com or by phone at 514-842-0886.

the liability for chargebacks or fraud to one               Snap Shot of 2017

or another party.

The same cannot be said of data breach            Calendar of Events
liability. This weakness of industry contracts
is further complicated by the fact that
merchants (unsophisticated normal folks)
carry full liability for data breaches that
occur in their systems or systems that they
use (that is, gateways). Meanwhile, gateways
prefer to limit their liability to some multiple
(that is, 12 months) worth of fees, which are
usually nominal.

The result is an imbalance between who            Janwuwawr.yno3rth1ea-staFceqbuirreursa.rcoym2
carries the liability for data breach (the
merchant) and who is in a best position to                  SEAA Annual Conference
limit the risk of data breach (the gateway).            http:/Mc/owamwr/cwrhe.sgoi2suttr0haetaio-snt2.ahc2tqmulirers.
ISOs, gateways and merchants need to focus        http://pwhwp?wfl.agrge=ecnaslehnedeta.rc_odmis/pdlaatyebook.
on this issue as I expect it will be the focus
of future disputes. This is especially so in
interconnected systems where users quickly
lose track of who is storing what data and for
whom.

Transactions take flight

Technical prowess of gateways means that
they can route transactions to any bank in
no time. Naturally, the bank accepting such
transactions must have a contract with the
merchant that is sending them. However,
the ease of integrations through gateways
has dissolved geographic limitations on
processing and probably poses a challenge for
banks to know whether they are processing
transactions for local or foreign merchants.

                                                                                                                       41
   36   37   38   39   40   41   42   43   44   45   46