How ISOs, acquirers responded to the Equifax breach
In a post-Equifax world, independent sales organizations, acquirers and payment processors are under much more scrutiny over merchant account applications and underwriting.
Overall, the acquiring and payment processing industries are waiting for a couple of shoes to drop — the onslaught of fraud attempts using Equifax credentials, and the placement of more regulations similar to the banks' current Consumer Due Diligence Rule.
"More people are looking at this now after Equifax, and they will be looking at how agents, and sub-ISOs accept merchant applications and there will be fines associated with not following security requirements," said James Huber, a partner at Global Legal Law Firm.
"In talking to ISOs, we believe they are not worried about chargeback losses as much as they are worried about fines related to security requirements," Huber said last week during a presentation at the annual Midwest Acquirers Conference in Chicago.
The Equifax breach occurred between May and July of 2017, with estimates of roughly 143 million credentials stolen, affecting about half of the U.S. population. It is estimated that credit card numbers for about 209,000 accounts were part of the hackers' haul.
Banks and the ISOs who obtain and submit merchant accounts for payment processing already follow the Know Your Customer regulations. But experts agree that the burden has all kicked up a notch in the wake of the Equifax breach, which emphasized the fact that there has been no fail-safe way to halt data compromises without extreme attention to detail.
It's also becoming apparent that American consumers are not likely to be as diligent in protecting their own data. A recent survey of 1,000 adults by LendEDU found that 73% of respondents were aware of the Equifax breach, but 37% of those said they had not checked to see if they were affected by it.
The companies that allow merchants into the payments system are under more pressure to have strict data gathering policies in place and not leave any stone unturned in verifying an applicant's identity.
"When the issue of a big chargeback happens, and the bank or ISO wants to go back to get their money, they go after the person running the business only to find out they were a 'straw' [fake] merchant," Huber said. "So, the most important trigger in underwriting is an ownership change. That should be a huge red flag on an application."
Banks are essentially passing along their security regulations to the ISOs and agents, who will have to be laser-focused on what types of merchant accounts they are bringing forward in the future, said Jennifer Papenhagen, in charge of elevated risk management at MB Financial.
"In addition to an ownership change, it is also important to know how long the applicant's e-mail account has existed," Papenhagen said. "It also is not normal for someone to say they own 10 corporations, as those are usually just bad actors who leave a trail."
If an applicant appears to be changing bank accounts fairly soon, the ISO should take a deeper look into the circumstances surrounding the need for that change, Papenhagen said.
"A background check on a company's office locations could also reveal important information, if there are any month-to-month changes in those locations," she added.
Reyna Coleman of Pineapple Payments mentioned that she always checks an applicant's business e-mail address to make sure it matches with the one on the company's website.
And sometimes an underwriter can uncover a false applicant in the oddest places, Coleman said.
"The internet is harmful in ways, but it can be helpful as well," she said. "For one of our new applicants, we noticed that person's name had turned up in the obituaries about a month earlier."
These techniques predate the Equifax breach, so the onus is on banks and acquirers to get better at spotting them.
"The difference is more regulation now and with breaches the size of Equifax, we are going to start seeing more talk and more stir at the state government levels," Papenhagen said. "We have to push this down to agents and ISOs — and they have to care."