The Green Sheet Online Edition
September 23, 2013 • Issue 13:09:02
Tackle risk vectors to improve portfolio performance
Risk, fraud and compliance are no strangers to the payments community. Daily procedures address issues relating to Payment Card Industry (PCI) Data Security Standard (DSS) compliance in addition to monitoring merchant and affiliate activities to spot risky behavior and overseeing dealings with high-risk entities. Yet often, these procedures are viewed as a cost center, rather than an opportunity for business growth and cost savings.
Easy-to-use tools can enhance scrutiny and reduce risk while saving time and money � and even provide new streams of revenue.
Facing increased risk, compliance challenges
The payments industry has its hands full trying to minimize portfolio risk, and payment professionals are tasked with keeping up with an ever-increasing patchwork of information security legislation.
Currently, 99 countries have data privacy laws. Forty-six states have data breach laws and 22 states have additional data protection legislation. Compliance gets more complex when considering the breadth of federal legislation, like the Gramm-Leach-Bliley Act and the Drivers Privacy Protection Act, as well as industry rules and regulations like MasterCard Worldwide's Business Risk Assessment & Mitigation (BRAM) program, the Visa Inc. Global Brand Protection Program (GBPP), and the familiar PCI DSS.
Using tools to protect and improve profits
Research indicates that state-of-the-art security tools and services that require no bandwidth can increase nontransactional revenues up to 30 percent while making a big difference in efficiencies and outcomes for acquirers and ISOs.
For instance, deeper evaluation of prospective merchants can improve decision-making and reduce risk. Merchant monitoring for fraud and compliance can be done continuously and more extensively. Providing a solution that enables merchants to quickly report data loss and breaches to all appropriate authorities gives acquirers and ISOs another no-fuss revenue opportunity.
Here are three scenarios in which security services differentiate acquirers and ISOs, improve customer retention and preserve revenue:
- Merchant risk analysis at boarding
Merchant risk begins at the entry point into the payment system, which means thorough evaluation of merchants at boarding is critical � including analyzing the risk presented by their online presence. With the shift from phone books and billboards to search engines and message boards, merchants increasingly rely on the Internet to drive new business.
During merchant boarding due diligence, it is essential to examine merchants' online risk history, an often overlooked step. A cursory review of a merchant's website at boarding is not enough to protect an organization from future financial loss. Analysis should include all aspects of the merchant's online presence: history of risk and violations of card network rules, "Whois" records of domain name registration, and risk related to the company's principals, as well as examination of past and present websites to assess online service providers for PCI compliance and verify registration with the card networks.
Access to databases containing merchants' history of brand-damaging and illegal behaviors and violations of card network rules can augment the traditional boarding process, allowing compliance professionals to more accurately predict prospective merchants' future risk. This can help ISOs and acquirers reduce the likelihood of receiving costly fines and assessments and improve merchant retention rates. Also, they can be completed quickly and with minimal additional spend.
- Persistent monitoring of websites for compliance
It is also important to monitor merchants' online behavior. While a merchant may be selling compliant goods or services at boarding, within hours or days, that same merchant could switch to selling items that put acquirers and ISOs at risk for hefty compliance assessments and legal penalties.
With new illegal goods and substances emerging on a near daily basis, and ever more elusive "bad actors" going to elaborate lengths to disguise their wares, it can be difficult to stay on top of the latest trends in counterfeit goods, illegal drugs and other illicit industries. For example, a merchant selling "bath salts" or "plant food" may in fact be selling synthetic cocaine, which is illegal and against card network rules.
A monitoring provider that is well versed in all card network rules and that works closely with federal agencies, as well as with nongovernmental and industry organizations, can identify risky merchant website content that may otherwise be difficult to spot, saving payment providers from major financial loss and brand damage.
Knowledge of programs designed to help acquirers comply with card brand regulations is also key. Adhering to MasterCard's BRAM and Visa's GBPP programs, for example, can cut compliance costs and, in some cases, help acquirers receive safe harbor from compliance assessments.
- Data breach reporting
Ninety percent of businesses have had a breach, and 59 percent have had multiple breaches, according to Ponemon Institute's Perceptions About Network Security report. Visa recommends in its Responding to a Data Breach advisory that merchants plan for a data loss incident by establishing relationships with appropriate vendors. Acquirers and ISOs can profit by reselling important security services to nonprocessing customers as well as their own merchant base while increasing customer loyalty and retention.
Data breach reporting is one example of a revenue-generating security service that can relieve merchants of the burden to report to authorities. Timing is critical to mitigate further penalties like fines and lawsuits. When merchants suspect they have lost sensitive personal data, they can contact their security partners to start the reporting process. Not having to do extensive research while under duress, they can resume normal activities sooner.
Profiting from compliance
Building nontransactional revenues from security services can help acquirers and ISOs lessen the effects of economic downturns and margin compression. Only 15 percent of revenues in the payments industry are nontransactional, according to Aite Group LLC's Acquisition and Retention in Today's Merchant Acquiring World study.
Banks receive 39 percent of revenues from nondeposit and nonlending activities. Other industries with noncore revenues that serve as great examples to emulate include Internet service providers, 51 percent; gas stations, 30 percent; restaurants, 50 percent; sports teams, 56 percent; car dealers, 57 percent; and airlines, at almost 100 percent.
An ISO with 5,000 merchants could add $150,000 per year in net revenues directly to its bottom line by offering a breach reporting service.
Doing more with less
Certainly, payment professionals are time-strapped enough. It makes sense to take advantage of available tools that will improve merchant relationships while catching errant activities sooner to ward off risk and fines, save money, increase productivity and effectiveness, and enhance top and bottom line portfolio revenues.
Ross Federgreen, CIPM, CIPP/US, CIPP/G, CIPP/E, and Fellow, European Privacy Association, is the founder of CSR, the leading provider of global data compliance solutions and expert services that address Payment Card Industry (PCI) standards and personally identifiable information (PII) requirements. Ross can be reached at�firstname.lastname@example.org. For more information, contact CSR at 866-462-7774 or online at�www.csrcorporate.com.
Ed Barton, CFA, CPA, JD, is the President and COO of G2 Web Services, a leading provider of payment risk management services including merchant website monitoring and merchant boarding risk analysis. Ed can be reached at email@example.com. For more information about G2 Web Services, contact G2 at firstname.lastname@example.org or online at www.g2webservices.com.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.