his story was originally published on ATMmarketplace.com, Nov. 14, 2005; reprinted with permission. © 2005 NetWorld Alliance LLC. All rights reserved.

For more than a year, Visa U.S.A. has been spreading the word about revisions to PLUS network rules concerning ATM operators. So when the Nov. 1, 2005, deadline for all new merchant ATM agreements came and went, no ISO or financial institution should have been caught off guard.

In short, the new rules require ISOs and sponsoring FIs to know a lot more than they did in the past about merchants operating ATMs on the PLUS network, and have the documentation to prove it, if the merchant buys the ATM.

As of November 2006, ISOs and FIs must have that same information about all existing ATM owners. That means, regardless of how long ago an ISO sold an ATM to a merchant, the ISO is responsible for maintaining up-to-date files about the merchant.

The rule also stipulates that FIs ensure merchants don't have any "significant derogatory," namely criminal, information about them floating around before they're hooked up to the PLUS network. Simply put, Visa wants to know that any merchant using its network is, well, legit.

An Evolving Problem

According to a Visa document obtained by ATMmarketplace, when ISOs came on the scene in the mid to late 1990s, the deployment of "nonmember branded" ATMs exploded, resulting "in a rapid increase in the number of privately owned ATMs operating in the U.S. region."

That growth, the document adds, has increased the risk of PIN security breaches, because some ISOs and sponsoring FIs "fail to conduct adequate due-diligence reviews or fail to maintain business agreements with entities they connect to the PLUS system." Alternatively, the new requirements are expected to enhance "member control" and "mitigate risk."

Most in the industry agree Visa is moving in the right direction. Some, like Marilyn Kilcrease, founder of Simi Valley, Calif.-based Merchant Underwriting LLC, are even scratching their heads, wondering what took the networks so long.

"Everybody knew this was coming after 9/11," Kilcrease said. "The Patriot Act was passed two years ago, and that's really why all of this is happening." Merchant Underwriting is an ISO-centric company founded two years ago to help independents comply with Visa's request for more thorough and up-to-date merchant agreements. The company has contracts with 80 ISOs, whose portfolios range from small to large.

In Kilcrease's opinion, "Visa was very prudent in doing this." She estimates between $20 billion and $40 billion travels across EFT networks annually from ATM transactions originated at merchant-owned locations.

At many of those merchant locations, no one monitors due diligence, Kilcrease added. "When ATMs first started, banks touted ATMs as being branches, and now you think about a merchant who could be a criminal operating his own branch. It's a scary thought."

What's Ahead?

Although a bit more detailed, ensuring all new deals inked with ATM operators are up to par is the easy part.

Going back through the archives, if relevant documentation even exists, and bringing all existing agreements up to new-standard specifications by next November is a daunting task.

Kilcrease said most ISOs will be busy the next 11 months. "Think about going back to every sale that you've ever made. It's going to be very, very hard."

"Very hard," and expensive, said Mike Keller, General Counsel for Houston-based Cardtronics LP. With a network of 25,000 ATMs in the United States, Keller estimates Cardtronics will invest $120,000 next year to comply with the revised agreement rules.

"We'll have a full-time person dedicated to doing this," Keller said. "I think we'll spend, not counting background checks, $70,000 easily. And then with the background checks at 10 bucks a pop, and the 15,000 merchants we have, we're at $150,000."

For Cardtronics, which has four sponsoring FIs, developing a uniform approach is crucial, Keller said.

"We want to make sure that we have the same kind of agreement, regardless of the sponsoring financial institution, so that it's uniform for all of the merchants we work with," he said.

"There shouldn't be a lot of variation. Besides, sometimes you may have a machine move from one sponsoring bank to another, and you want make sure that you have something uniform," so that it's all transferable.

Working out all of those details with the sponsoring banks and the merchants takes time. In fact, some merchants don't understand the need for a new agreement, nor do they understand why ISOs need more background information. So getting the word out to merchants has to be handled appropriately.

"We're going to be developing an approach, and when we go out and touch a merchant, we want to get this information while we're there," Keller said.

"Hopefully, over the next six weeks or so, we'll have that plan in place, and we hope to begin implementing it at the beginning of the year."

But Jeff Munford, a Florida-based distributor for Willoughby, Ohio-based ATM manufacturer and processor Western Reserve Group Inc., said most merchants appreciate the checks, once they understand the rules.

"Most c-store operators have been really cooperative," he said. "I tell them, 'We need this information to protect ourselves, you and your customers.'

"And they understand that, because c-store operators want to be sure that they are providing their customers with secure transactions.

"The average c-store has 100 customers that use the ATM regularly, and you don't want anything to happen to those customers, whether you are the c-store that owns your own machine or whether you have someone else place an ATM in your store."

Link to original: www.atmmarketplace.com/news_story_24511.htm