Page 20 - GS230701
P. 20
Education
Third – party currently has cache, entities often wish to become payfacs
regardless of their need. The terms "payfac-like" and
registration "managed payfac" have arisen, in part, because entities
want to be more than ISOs even if they are doing nothing
beyond what an ISO is able to perform.
If the tide never comes in, must
I wear a bathing suit?
Payment gateways are also third parties. They, too, must
be registered, but unlike payfacs, they are performing
services on behalf of the merchant, not the acquirer.
Consequently, many acquirers dismiss the registration
process so long as the gateway is on Visa’s Global Registry
of Service Providers. Both card networks, however, require
that acquirers enter into agreements with any third party
By Ken Musante servicer. Visa Rule 10.2.2.2 requires the written agreement
Napa Payments and Consulting to include minimum standards: policies, procedures,
service levels and performance standards. Mastercard
oth Visa and Mastercard have registration cat- delineates sections that must appear in third party
egories for third parties. They want to know agreements and mandates their existence.
the entities providing services on behalf of
B member banks and end customers. Payfacs, Despite this, non-compliance is rampant. Most acquirers
processors, ISOs and gateways are all third parties, but rely on the Visa Global Registry. If the third party is
each type provides a different service and has distinct registered in the appropriate category, certified to the
registration requirements. acquirer’s authorization center and is PCI compliant,
they allow merchants to be serviced through the third
Payfacs, for example, contract with the acquirer and sub- party. The risk is small. Should a breach or intrusion
merchant. Gateways need only contract with the end occur, however, and the acquirer is found to be using a
merchant, yet both must be registered to provide services third party without registration, the card networks could
for their clients. Understanding the third party type and impose their fee structure.
the requirements for that type is key to offering new and
expanded services while maintaining compliance and Further, if an acquirer is not tracking third parties, it has
minimizing costs and work. no way to validate a third party’s compliance, and if issues
arise with a specific third party, it won't be able to identify
Visa and Mastercard have a vested interest in knowing the and correct impacted merchants.
entities servicing merchants and cardholders. They wish
to ensure PCI compliance and validate that their issuers If instead, the acquirer has a contract with the third
and acquirers have conducted independent due diligence party, upon notice of a violation of card network rules,
on any third party. Further, they want to ensure acquirers the acquirer can invoke its rights under the contract and
have meaningful criteria for third parties to remain in compel compliance or force the severance of support for
good standing. merchants. Acknowledging the difficulty in carrying this
out, having an agreement allows the acquirer to work
Paying for the facs through the issue(s) methodically and consequentially.
Payfacs continue to expand their reach and attract new It's increasingly difficult to know the ultimate acquirer for
entrants. Visa classifies Payfacs as a distinct third party every transaction. Payfacs and ISOs have assumed greater
agent category; Mastercard groups them within a service responsibility, and the card network rules have afforded
provider type called Merchant Servicers. Both allow them more autonomy. Understanding the rules allows
payfacs to enter into agreements with sub-merchants and acquirers to best position their merchants and third
to pay them directly. parties to minimize costs, liability and compliance while
maximizing utility and abilities.
While this sounds appealing, unless the payfac has a
money transmitter license—valid in every state it intends As founder of Humboldt Merchant Services, co-founder of Eureka
to operate—the payfac designation is often immaterial. Payments, and a former executive for such payments innovators as
If the payfac doesn't intend to obtain a money servicing WePay, a division of JPMorgan Chase, Ken Musante has experience in all
license, the acquirer will need to be on the merchant aspects of successful ISO building. He currently provides consulting ser-
agreement regardless. vices and expert witness testimony as founder of Napa Payments and
Consulting, www.napapaymentsandconsulting.com. Contact him at
In that context, a payfac could accomplish its goals while kenm@napapaymentsandconsulting.com, 707-601-7656 or www.
registering as an ISO and avoid some requirements placed linkedin.com/in/ken-musante-us.
upon the acquirer and payfac. Because the term "payfac"
20
