CLEVELAND — The regulatory winds swirling around acquirers and independent sales organizations are so swift, those who can't stay abreast of the changes are likely to get blown away.
Those winds are coming from card networks, the Payment Card Industry security standards council and government regulators, a panel of experts told acquirers and ISOs on July 27 at the annual Midwest Acquirers Association conference.
But many acquirers may not even be aware of the rules that are about to take hold. Plus, acquirers already have their hands full in deciphering the hundreds of pages of rules for EMV compliance that are already in effect.
Many of the imminent rules and regulations will focus on Web application security as a response to the latest data breach trends, said Chris Bucolo, director of marketing strategy for ControlScan, a PCI compliance provider for small and mid-size businesses.
The timing of the EMV liability shift "ushered in a new era of security and compliance, but it was a burden at the holiday season because of the issue with transaction time, which has since been addressed, but there was this feeling of being overwhelmed," Bucolo said in an interview after the presentation.
At the same time, acquirers had to decide whether to also introduce end-to-end encryption and tokenization, two other critical security layers, at the risk of making frustrated merchants even angrier.
"It was important to talk about those services in one conversation, rather than coming back again and again with new features," Bucolo added. "The piecemeal approach for merchants who are already busy just wouldn't work."
The payments industry, overall, has to get better educated in how to talk to merchants, Bucolo said. Acquirers putting technology packages together have admitted that education of agents and merchants was a significant weakness, he added. "The bigger the organization, the harder it is [to get education on the same page]."
Separately, the PCI council has reminded merchants and service providers to look at establishing unique credentials for each client and to adopt two-factor authentication, which will be required by 2018 for third-parties to enter the cardholder data environment. When fraudsters steal credentials from one network, they operate out of a portal with hundreds of merchant listings, and begin trying those credentials on each one, in hopes of breaking into more card databases, Bucolo said. "It takes only a few minutes to download malware, get the data they want, then cover their tracks on the way out," he added.
Visa plans to expand its Qualified Integrators and Resellers program by the end of 2017, to get a broader view of these types of integrators included in the PCI standards program. "Anyone who is involved in the integration, installation or support of applications has to go through the QIR program," Bucolo said. "The only way around that is when a company does its own installation."
Visa views it as a way to thwart the breaches affecting small merchants from data leaks at service providers, and the new guidelines will increase emphasis and scrutiny on the level of attention an ISO pays to working with an integrator.
Holli Targan, acquiring industry attorney and partner with Jaffe, Raitt Heuer & Weiss P.C., said ISOs have to be aware of a new federal law this year, the Defend Trade Secrets Act, which protects a company from a former employee taking a trade secret from and using it against the company.
"But what is a trade secret?" Targan asked. It is any information that drives up and down value that is not generally known and is protected, she said. For ISOs, that means merchant names, merchant contact information, profit margins and other info related to clients.
The new law provides remedies that a company can seek from a third party, one being a court injunction and the other is the possibility of a seizure of property, such as the computer storing the data, or damages for actual losses, Targan said.
It works both ways, however, because an ISO has to be careful that new hires cannot bring trade secrets from a prior company to the new job, Targan added.
"If that person uses information from a previous employer to the benefit of the new company, the ISO can be liable for damages," she said.
ISOs also have to pay attention to details when writing contracts or providing information to agents. Mastercard has a new fee disclosure information rule that requires this information to be provided to a merchant in separate page in a clear and concise manner, Targan said.
Federal regulators aren't likely to ease their scrutiny of the payments industry, particularly in areas that touch the consumer, said Scott Talbot, senior vice president of government relations for the Electronic Transactions Association.
The advancement of payments technology is good for the industry, but "that's why the federal regulators continue to look at us so closely," Talbot said. "It forces us to be proactive and to be ahead of regulation, and anticipate what regulators will be looking for"
It's not just a matter of concentrating on the consumer experience, but also what is good for business in a way that illustrates "self regulation," Talbot added. "When acquirers have a contract that clearly states what they will do for merchant clients — and then do it — that represents a great defense against a regulatory scheme being imposed upon us."
The payments industry is on the receiving end of an aggressive pro-consumer movement, Talbot said. ISOs can balance that by making their own voices heard as well.
"You have to be educated and involved," he added. "These politicians want to hear from you because you are a constituent and they want your vote, but also want to learn more about our business and they need your input."
In addition to dealing with regulators, ISOs have to remain wary of how they are interacting with their merchant clients when sharing information about new technology and new rules. Merchants have made it clear in the courtroom that they continue to be disenchanted with how the payments industry is evolving.
Merchants have ongoing legal battles over interchange fees; they are charging card networks with making rules that result in more debit transactions moving along their rails; and they are baffled by the chargeback overload in the wake of the EMV migration.