A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

March 09, 2015 • Issue 15:03:01

Legal ease:
ISO third-party integrations and data sharing

By Adam Atlas
Attorney at Law

Why is it easier to integrate Farmville with Facebook than your ISO business with your processor? I think this should be the prevailing question ISOs ask processors in 2015. Most people are so busy sharing data between apps they can't keep track of which apps depend on which. Yes, data sharing has risks, but let's face it, we are stalled without it.

Meanwhile, when a processor delivers ISO reporting on an Excel spreadsheet, the ISO has to take a trip down to the local computer museum to get the data from the spreadsheet into a useful format that adds value to the ISO's business. The purpose of this article is to talk about the legal aspects of third-party integrations of ISOs, or put another way, the gamification of ISOs.

What can an ISO get from a third party?

A lot. Take for example, a customer relationship management (CRM) system, such as ISIS CRM, designed for ISOs that instantly pulls data from all the ISO's key sources like processors, agents, lead generation sources and merchants, and delivers a powerful live feed to all concerned. In addition to tailored CRM services, accounting packages, lead tracking, sales meeting schedulers and various other third-party systems all compete to add value to the ISO's business.

The services an ISO is likely to need from a third-party integration depend on the ISO's needs. For example, an ISO may wish to use a platform that specializes in full, tailored ISO support or prefer something more generic to handle just basic bookkeeping or appointment setting.

How does the ISO integrate with a third party?

Usually, it's just a question of clicking and accepting the terms of integration. Some larger integrations require a dedicated bit of software called an application program interface (API). An API allows one system to communicate with another so that they can, for example, instantly share a common database.

Most large businesses for which data is a core element now, first and foremost, think about offering their clients APIs in order to facilitate integration. Some rather backward processors either don't have APIs or make them hard for ISOs to access. This is the same kind of thinking that has sunk various closed-loop services over the past couple decades.

The long view of ISOs should be a basic expectation of live integration with all their suppliers. For example, as a law firm, we provide live feeds of certain key legal information to some of our clients though a cloud-based database. If we can do it, processors are certainly able to do it.

What are the legal terms of integration?

A third-party platform, such as a CRM system, that would fetch ISO data from a processor, process it, warehouse it and present it to ISOs in a user-friendly way, will require the ISO to accept certain terms and conditions of use for the service. These terms should cover the following key topics:

  • Confidentiality of ISO data: There is no data more important to an ISO than its merchant data. An ISO's merchants, and the pricing related to them, are sacred to the ISO, and the ISO is usually also bound by obligations to its processor to not disclose that information other than as permitted under the ISO agreement. Consequently, the ISO will want assurance in writing from a third-party service provider who has access to ISO data that the data will be kept confidential.
  • Non-solicitation: Naturally, the ISO expects the third-party service provider will not use ISO information to solicit into the ISO portfolio. Therefore, the service provider terms should bind the service provider so that it cannot poach merchants from the ISO's portfolio.
  • Security: The service provider should commit to a certain base level of security concerning its systems. Any entity that holds merchant portfolio data should be suitably prepared for security attacks. Therefore, the ISO can expect its third-party providers holding ISO data to institute suitable security measures.
  • Data portability: The ability for the ISO to pull its data out of the third-party service provider in a useable format is a reasonable expectation for an ISO to have of a third-party service provider that holds its data. One need look no further than platforms like Google that offer data-dumps of data that they manage for users to see precedent for this kind of wind-down support.

Whatever the terms of the third-party service provider, the ISO should read them carefully and see that they provide adequate protection for the ISO.

Do processors cooperate?

When shopping for an ISO agreement, on par with pricing, ISOs should be preoccupied with whether the processor is going to provide live feeds of ISO data to the ISO. Most are cooperative, but some processors that are stuck in an outdated mindset have been putting up resistance to providing APIs or other forms of cooperation with third-party service providers to ISOs.

By putting a tourniquet on the flow of data from processor to ISO, the processor is taking away the new lifeblood of ISOs: data. The ISO business has never been more competitive; ISOs need every edge they can achieve. Data curating is ripe for enrichment in the ISO marketplace, and will therefore differentiate stronger and weaker processors and ISOs. ISOs should select a processor, in part, on the basis of whether the processor takes a "data first" approach.

The long view of big data for ISOs

Acquiring businesses should take the long view of data concerning ISOs and merchants, which is that the data is the core value of each of their businesses. Assuming similar sales abilities and similar marketing budgets, one ISO will get ahead of another, in part, because it masters the flurry of data associated with its merchant portfolio.

ISOs have been worried for years that they may be replaced by large Internet players that are strong on data, but weaker on sales. This is a valid fear – and keeping up with data mastery is part of what an ISO has to do to remain competitive. end of article

In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If you require legal advice or other expert assistance, seek the services of a competent professional. For further information on this article, email Adam Atlas, Attorney at Law, at atlas@adamatlas.com or call him at 514-842-0886.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next
A Thing