Page 47 - GS170701
P. 47

Education





        There isn't enough space in this article to fully dissect
        the issue, but consider the following scenario that is
        quite common in the ISO industry:
        An ISO retains a gateway to provide gateway services
        to its merchants. The gateway's job is to carry and store
        encrypted cardholder and transaction data for the
        merchant between the merchant and its acquirer and
        the payment networks. For all intents and purposes,
        the merchant believes it is relieved of security
        problems because the ISO is providing  the secure,
        gateway-supplied tokenization and communication
        platform. The gateway contracts with only the ISO and
        not with any of the merchants. The merchants believe
        that the ISO is providing the gateway service – it's even
        branded that way.

        Everything goes well until a massive breach occurs at
        the gateway. Payment networks carry out an audit of
        the merchants affected and determine that their data
        was stored – and ultimately compromised – by the
        gateway. The merchants are fined large amounts and
        start looking for someone to blame. Their first stop is
        the ISO. After all, the merchants believed they were
        getting gateway services from the ISO – under the
        ISO's brand. However, the ISO never conceived of itself
        as the provider of gateway services.

        At this time, the story can go well or not so well for the
        ISO. If the ISO thought ahead to put in place merchant-
        facing gateway supply terms with a suitable limitation
        of liability, the outcome might be acceptable. However,
        if the ISO did not put in place merchant-facing terms
        for the gateway service, there is a possibility that none
        exist. When this is the case, the supplier of a service
        loses some ability to limit its liability for failures.

        The moral of this story is to make sure each service
        delivered to a merchant is backed by terms of use. The
        terms of use might be directly between the provider
        (for example, gateway) and the merchant, or they
        may be between the ISO and the merchant. In either
        case, they should be carefully drafted to allocate risk
        according to the desired outcome. In plain English, as
        an ISO, you do not want to face a multimillion-dollar
        claim for the failure of your gateway provider.

        Each ISO should know precisely how its liability is
        limited (or not) in the event of a breach by any of its
        suppliers.


        In publishing The Green Sheet, neither the author nor the publisher
        is engaged in rendering legal, accounting or other professional ser-
        vices. If you require legal advice or other expert assistance, seek the
        services of a competent professional. For further information on this
        article, email Adam Atlas, Attorney at Law, at atlas@adamatlas.com
        or call him at 514-842-0886.



                                                                                                                47
   42   43   44   45   46   47   48   49   50   51   52