A Thing
The Green SheetGreen Sheet

The Green Sheet Online Edition

November 27, 2017 • Issue 17:11:02

ISO risk from third-party providers

By Adam Atlas
Attorney at Law

Merchants require ever-better systems to stay competitive in today's business climate. Ecommerce, POS, loyalty, marketing and geolocation solutions are among the common product and service categories merchants need to stay in the game. These are sometimes available from ISOs or their suppliers. In this article, I will discuss ISO risks associated with third-party suppliers and their products.

Merchant account always central

For now, at least, the merchant account is central to the relationship between the ISO and the merchant. This means that the payment processing account of the merchant with the ISO's acquirer is a pillar of the relationship between the ISO and the merchant. While most ISOs are not party to their merchants' merchant agreements, they nonetheless retain certain rights in respect of those agreements ‒ specifically, the right to earn residual compensation from the processor that has boarded the merchant as a result of ISO solicitation.

Note that acquirers (that is, processors and their sponsor banks) will often take the position that the merchant "belongs" to them and not to the ISOs. What is more, they will take the position that information related to the merchant also belongs to them. This makes use of merchant information by the ISO for third-party services potentially subject to challenge. While it is customary for ISOs to sell additional products to merchants, outside of the merchant processing agreement (for example, paper rolls), acquirers will take a variety of approaches with respect to such third-party products.

The substance of an ISO's rights and restrictions with respect to a merchant are set out in the ISO's agreement with its acquirer. That said, where ISO activity does not interfere with the acquirer's merchant account, the acquirer will not usually try to interfere. In other words, earning an honest extra buck from a merchant is fair play as long as the acquirer does not suffer. Despite this general custom, some ISO agreements might prevent or circumscribe ISOs from selling additional products and services to merchants. ISOs should review their agreements for this concept and govern themselves accordingly – or seek an amendment if the terms are not acceptable.

One way acquirers have discouraged ISOs from using third-party suppliers has been to make the ISO liable for all the wrongdoing by those third-party suppliers. Granted, the acquirer should not be obligated to assume liability for a third-party supplier that it has not itself vetted. That said, why should the ISO underwrite the risk of a merchant using a third-party supplier that is not approved by the acquirer? Acquirers will say that they will inevitably be sued if a merchant's supplier (whether introduced by the ISO or the acquirer) does the merchant material harm. This might be true, but the third-party terms (like most merchant-facing terms) usually limit the supplier to nominal liability.

Acquirers will argue that those caps may not hold in the face of a material class claim. This tension between the desire of the ISO to provide a variety of suppliers, versus the acquirer's legitimate interest to expose its merchants to only suppliers that have been vetted, is the heart of the matter here.

PCI compliance

It's passé to whine about the right to select a Payment Card Industry (PCI) Data Security Standard (DSS) compliance supplier. That said, because so many licensed and competent suppliers are available, there is a strong case for ISOs to have the right to use any duly qualified PCI provider. The question each ISO should ask is whether selecting a PCI supplier that is different than the one preferred by the acquirer will expose the ISO to significantly more risk than would using the acquirer's preferred provider.

The answer to this question is in the fine print of the ISO agreement – which is worth negotiating. It's worth negotiating because there are implications to ISO risk that go beyond PCI suppliers into other areas, such as equipment and gateways.


Naturally, an acquirer will not want its merchants to use equipment that has not been approved for use on the acquirer's network. Beyond that sensible security and technical requirement, some acquirers will go further and wish to oblige ISOs to use the acquirer's in-house leasing programs. This is more controversial because ISOs may be able to find alternative leasing solutions that are more profitable or preferable for other reasons. ISOs should consider parameters within which they can engage in equipment leasing with merchants and weigh flexibility and profit in the course of that review.

ISO risk with respect to equipment, in most cases, crystallizes around the merchant's first month's payment, after which the leasing company assumes the risk. Equipment leasing is therefore not especially risky.


Some acquirers have their own gateway. Still, ISOs may wish to use an alternative gateway for profit or for convenience to the merchant. A key question the ISO should ask itself – and its acquirer – is whether failure on the part of such a provider substituted by the ISO would result in more liability to the ISO than a failure by an acquirer-approved gateway supplier.

Recall that gateways maintain cardholder data and are therefore subject to potential security breaches with ensuing high-dollar claims. Of course, gateway terms usually limit merchant claims to a reasonable amount, but what happens if those terms don't hold up and the acquirer faces a claim for an ISO-chosen gateway blunder? The answer, as discussed above, lies in the ISO agreement.

In conclusion, ISOs should consider how important self-selected suppliers are for their own business models and then also consider how using their preferred providers may bring on claims by their processors. I know, this is fairly dry material, but with the rising importance of gateways, cloud-based merchant management and other vital third-party offerings, ISOs owe it to themselves to consider their risks associated with such suppliers.

Incidentally, there is, of course, risk that is independent of acquirer claims and that could arise from merchants making claims directly against the ISO on account of the third party suppliers – I'll save that discussion for another column. end of article

In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If you require legal advice or other expert assistance, seek the services of a competent professional. For further information on this article, email Adam Atlas, Attorney at Law, at atlas@adamatlas.com or call him at 514-842-0886.

The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

Prev Next

Current Issue

View Archives
View Flipbook

Table of Contents

Company Profile
New Products
A Thing