Page 40 - GS171102
P. 40
Education
PCI compliance risk. Equipment leasing is therefore
not especially risky.
It's passé to whine about the right to select a Payment Card Industry (PCI)
Data Security Standard (DSS) compliance supplier. That said, because so many Gateway
licensed and competent suppliers are available, there is a strong case for ISOs
to have the right to use any duly qualified PCI provider. The question each ISO Some acquirers have their own gate-
should ask is whether selecting a PCI supplier that is different than the one way. Still, ISOs may wish to use an
preferred by the acquirer will expose the ISO to significantly more risk than alternative gateway for profit or for
would using the acquirer's preferred provider. convenience to the merchant. A key
question the ISO should ask itself –
The answer to this question is in the fine print of the ISO agreement – which and its acquirer – is whether failure
is worth negotiating. It's worth negotiating because there are implications to on the part of such a provider substi-
ISO risk that go beyond PCI suppliers into other areas, such as equipment and tuted by the ISO would result in more
gateways. liability to the ISO than a failure by
an acquirer-approved gateway sup-
Equipment plier.
Naturally, an acquirer will not want its merchants to use equipment that has Recall that gateways maintain card-
not been approved for use on the acquirer's network. Beyond that sensible holder data and are therefore subject
security and technical requirement, some acquirers will go further and wish to potential security breaches with en-
to oblige ISOs to use the acquirer's in-house leasing programs. This is more suing high-dollar claims. Of course,
controversial because ISOs may be able to find alternative leasing solutions gateway terms usually limit mer-
that are more profitable or preferable for other reasons. ISOs should consider chant claims to a reasonable amount,
parameters within which they can engage in equipment leasing with merchants but what happens if those terms don't
and weigh flexibility and profit in the course of that review. hold up and the acquirer faces a claim
for an ISO-chosen gateway blunder?
ISO risk with respect to equipment, in most cases, crystallizes around the The answer, as discussed above, lies
merchant's first month's payment, after which the leasing company assumes the in the ISO agreement.
In conclusion, ISOs should consider
how important self-selected suppli-
ers are for their own business mod-
els and then also consider how using
their preferred providers may bring
on claims by their processors. I know,
this is fairly dry material, but with
the rising importance of gateways,
cloud-based merchant management
and other vital third-party offerings,
ISOs owe it to themselves to consider
their risks associated with such sup-
pliers.
Incidentally, there is, of course, risk
that is independent of acquirer claims
and that could arise from merchants
making claims directly against the
ISO on account of the third party
suppliers – I'll save that discussion
for another column.
In publishing The Green Sheet, neither the
author nor the publisher is engaged in render-
ing legal, accounting or other professional
services. If you require legal advice or other
expert assistance, seek the services of a com-
petent professional. For further information
on this article, email Adam Atlas, Attorney at
Law, at atlas@adamatlas.com or call him at
514-842-0886.
40
