As small businesses serving other small businesses, ISOs perform a wide variety of tasks. At the same time, they try to differentiate themselves from the competition by specializing in serving certain types of businesses or by offering value-added products and services.
All of that can stretch an ISO a little thin when it comes to understanding the risk of data theft and fraud. And as a result, some ISOs understand payment security, and some don’t.
Retail ISOs — those concentrating on reselling transaction processing services — have a sales relationship with merchants but pass the risk of breaches to a third party.
Other ISOs take on risk but “don’t understand it because it’s a moving target,” says Deana Rich, president of Deana Rich Consulting Inc., a Van Nuys, Calif.-based firm that offers advice on risk management.
“There are always new threats and new regulations,” Rich says. “Also our product is always changing, and consumer needs are always changing.”
Some of that change comes to pass because the public wants ever-easier ways to pay.
“Our industry changes to make things more frictionless for consumers,” Rich tells ISO&Agent Weekly. “We try to find a way for consumers to pay without having to do anything.”
Think PayPal, she suggests. Users don’t have to swipe a card or sign a bill for a credit card transaction at the point of sale.
“Risk changes on our side because we try to make things simpler for consumers,” Rich says. “The risk of fraud for consumers is always there. The risk of fraud in a transaction is always there.”
ISOs and acquiring banks, card brands and all kinds of technology developers are trying to make payment easier for consumers, “so as not to lose the sale. But they also want to minimize risk,” she maintains.
Reducing that risk requires nearly constant vigilance, says John Newton, director of sales in the strategic partner channel at Fort Worth, Texas-based First American Payment Systems.
“We have to make sure we stay a step ahead or at least even with folks that are trying to do harm,” says Newton.
First American, an ISO and processor, built its own risk and fraud prevention tools based on guidelines from the card brands.
The company does its own underwriting and risk monitoring
“We also keep in touch with federal regulatory activity,” says Jason Putnam, vice president of sales in the strategic partner channel for First American.
When a merchant submits an application to become a client, First American underwriters use prior processing statements and an estimate of annual credit card volume to create a volume threshold, or potential liability, that First American must bear.
“We get a picture of what processing looks like on a month by month basis,” says Newton.
Combined with trend data mapped in other merchant relationships, that picture enables the ISO to set loss prevention and fraud monitors — “tools that protect us and protect them,” he says.
First American agents explain its underwriting process and resulting system triggers to merchants, so when monitors freeze a charge that doesn’t fit the profile and funds are held temporarily, merchants understand it’s done to protect them from chargebacks, says Newton.
eMerchantPay, a payment processor and gateway that sells services through ISOs and directly to merchants, also reduces chargeback and dispute expenses by stopping unusual transactions. The company focuses on online retailing, gaming and travel booking companies worldwide.
“Conducting business online may make the company more susceptible to payment fraud,” says Vyara Samoukova, public relations and marketing manager for eMerchantPay. “Based on the specific business type, eMerchantPay defines transaction screening rules to meet specific business requirements.”
ISO risk managers have played a loss-prevention role because they’re responsible for anything the merchant can’t fund, notes David Fish, senior analyst in the fraud, risk and analytics practice at Maynard, Mass.-based Mercator Advisory Group.
eMerchantPay employs a suite of tools for real-time risk assessment of online purchases to thwart scam artists.
“We spot potential fraud before it occurs,” Samoukova says.
At First American, when a transaction is flagged, “we work very hard with merchants, sub-ISOs and agents to let them know,” Putnam says. “We will immediately reach out to the merchant to get them involved.”
“It can be a volatile situation, but nine times out of 10, they understand,” he maintains.
Over the past few years, the emphasis has shifted from nurturing good intentions to raising awareness of fraud control, Fish says.
Indeed, First American encourages its merchant clients to make communication a “two-way street,” Putnam says.
If a merchant anticipates an unusual, big-ticket transaction — say, a pizza delivery joint with an average ticket size of $20 is catering a wedding for $10,000 -- it should contact its ISO and let the loss-prevention team know to mitigate any issue that arises when the charge is run, Newton advises.
“The small merchant looks at the large transaction as a boon to business,” he says. “But after years of monitoring, the trend is that an abnormal transaction turns into a chargeback or fraudulent transaction.”
Merchants see the wisdom of questioning an unusual charge if they’ve ever been victims of fraud, Newton says.
“It really takes only one time losing a $10,000 transaction for them to grasp the importance” of a systematic approach to verifying transactions and a commitment to communication, he maintains.
An expanded version of this article is scheduled to appear in the April print issue of ISO&Agent.