By Patti Murphy
We live in an interconnected world where one breach of fraud protections or data security protocols can have far-reaching consequences for individuals and businesses alike. ISOs and merchant level salespeople (MLSs) ignore this new reality at their peril. There's an upside, however: an opportunity to boost revenues by helping clients stay on the right side of the law.
"It's important to have at least some basic knowledge of what the law requires and where to go to get some help if that's needed, because it's going to impact your life one way or another," said Mark Dunn, president of Field Guide Enterprises.
Take data privacy, for example. It's a topic on the minds of many as data breaches continue to be uncovered almost daily. In 2019, nearly 1,500 data breaches resulted in exposure of 164.7 million sensitive records, according to Statista. The Ponemon Institute estimated the average data breach costs businesses $150 for each record compromised. And a survey by security firm RSA revealed that 64 percent of Americans blame hacked businesses, not hackers, when their personal information is breached.
Lawmakers and regulators have been spurred to act. "There are regulations and requirements in every one of the 50 states, plus more than 20 federal regulations," said Ross Federgreen, president of CSR Privacy Solutions. These rules impose requirements on the collection, management and destruction of personal information, like names, Social Security numbers, credit and debit card numbers, and bank accounts. "The regulations have significant teeth, and fines are being levied on an increasing basis against companies large and small found to be in violation," he added.
In 2018, California adopted what has been characterized as the most comprehensive sets of data privacy regulations in the United States. The law firm BakerHostetler stated in a report that the California Consumer Privacy Act (CCPA), is noteworthy in that "the definition of personal information under the new law is very broad and includes data elements not previously considered personal information under any U.S. law."
The CCPA, which took effect in 2020, requires companies to adopt safeguards that protect the security, confidentiality and integrity of personal information they collect on consumers in the state. It doesn't matter where a company is headquartered; if it does business with consumers in California, or simply targets customers in the state, CCPA requirements apply.
Violations of the CCPA can result in civil penalties ranging from $2,500 to $7,500 for each violation. Additionally, private plaintiffs can bring civil actions against breached companies when those breaches result in theft or disclosure of their private information. Consumers can seek up to $750 per incident, or actual damages, whichever is greater, BakerHostetler noted.
Virginia followed California's lead, passing a similar law on March 2, 2021, with an effective date of 2023. And proposals on the legislative dockets in several other states, including New York and Washington, would impose similar requirements for safeguarding consumers' private information.
All of these state initiatives mirror closely the tough stance taken by the European Union with its 2018 enactment of the General Data Protection Regulation.
"These privacy laws and regulations apply to clients as well as employees and vendors," Federgreen said. "There are no distinctions made as to the size of the business, revenues or anything else."
The laws have very real implications for ISOs and acquirers. "ISOs and acquirers need to improve their knowledge of what the laws cover," Dunn said. "They need to be aware of the stringent liabilities involved and the fines they could be subject to for failing to comply" with rules for protecting against and reporting breaches of personal information.
Most ISOs have agent portals that, among other things, are conduits for personal information about agents (names, SSNs, etc.). That information is covered by laws like the CCPA, and if compromised, there are specific requirements for reporting and rectifying the compromise, Dunn noted.
Steve Eazell, executive vice president for strategic partners at ComplyPact, pointed out that acquirers and ISOs can also land on the hot seat if they don't properly vet customers that run afoul of federal fraud and money laundering laws. The U.S. Department of Justice, as well as other U.S. and foreign law enforcement agencies, expect companies to establish compliance programs that keep fraudsters and money launderers at bay, or risk culpability. "They're holding merchants liable if [for example] a rogue employee is skimming credit card information and selling it on the dark web," Eazell said.
In 2020, the DOJ updated prosecutorial guidelines that illustrate why all companies, regardless of size, need comprehensive compliance programs that will hold up under the scrutiny of DOJ investigations. Under the guidelines, for example, an ISO/acquirer that boards a rogue merchant found to be defrauding customers could face investigation and stiff fines if prosecutors believe the merchant gained access to payment processing because the acquirer/ISO vetting process was not "adequate and effective," Eazell said. "You don't have to be perfect, but you have to at least show that you're doing everything in your power to show that you acted in good faith," Dunn added.
ComplyPact and CSR are two of a new breed of financial technology providers focused on helping acquirers, their sales partners and their merchants not get caught off guard by the ramifications of data breaches or other fraudulent activities. According to Dunn, these companies "can help guide businesses through all the things they need to do to become compliant and to react when there's a breach or fraud incident."
CSR offers a bundle of services it calls uRISQ that includes comprehensive threat scans of merchant websites and firewalls with detailed reporting, and 24/7 access to a team of experts who guide merchants through the regulatory reporting process should they get breached. Also included are access to online tools and resources companies can use to implement privacy policies and programs that will withstand the scrutiny of state and federal regulators.
uRISQ is available to acquirers and ISOs as an in-house tool as well as a private-label, value-added service they can resell to merchants. The real opportunity is in reselling, Federgreen noted. CSR offers the bundle for a flat monthly fee, which ISOs and MLSs can sell to merchants at a handsome markup. "It's an excellent way to boost recurring monthly revenues, and portfolio valuations," he said.
ComplyPact offers similar revenue opportunities for acquirers and their sales partners that resell the ComplyPact corporate compliance management system; monthly service fees are split with the selling ISO, Easzell said. The system incorporates a comprehensive set of online tools—like training and compliance manuals, metrics and reporting—which merchants use to create a "provable culture of compliance" that will pass muster with law enforcement and regulators, he added.
"There are not a lot of attorneys that can help once you get slapped with an injunction and threatened with fines and jail time," Eazell added.
Patti Murphy is senior editor at The Green Sheet and self-described payments maven of the fourth estate. Follow her on Twitter @GS_PayMaven.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next