By Ken Musante
Napa Payments and Consulting
Both Visa and Mastercard have registration categories for third parties. They want to know the entities providing services on behalf of member banks and end customers. Payfacs, processors, ISOs and gateways are all third parties, but each type provides a different service and has distinct registration requirements.
Payfacs, for example, contract with the acquirer and sub-merchant. Gateways need only contract with the end merchant, yet both must be registered to provide services for their clients. Understanding the third party type and the requirements for that type is key to offering new and expanded services while maintaining compliance and minimizing costs and work.
Visa and Mastercard have a vested interest in knowing the entities servicing merchants and cardholders. They wish to ensure PCI compliance and validate that their issuers and acquirers have conducted independent due diligence on any third party. Further, they want to ensure acquirers have meaningful criteria for third parties to remain in good standing.
Payfacs continue to expand their reach and attract new entrants. Visa classifies Payfacs as a distinct third party agent category; Mastercard groups them within a service provider type called Merchant Servicers. Both allow payfacs to enter into agreements with sub-merchants and to pay them directly.
While this sounds appealing, unless the payfac has a money transmitter license—valid in every state it intends to operate—the payfac designation is often immaterial. If the payfac doesn't intend to obtain a money servicing license, the acquirer will need to be on the merchant agreement regardless.
In that context, a payfac could accomplish its goals while registering as an ISO and avoid some requirements placed upon the acquirer and payfac. Because the term "payfac" currently has cache, entities often wish to become payfacs regardless of their need. The terms "payfac-like" and "managed payfac" have arisen, in part, because entities want to be more than ISOs even if they are doing nothing beyond what an ISO is able to perform.
Payment gateways are also third parties. They, too, must be registered, but unlike payfacs, they are performing services on behalf of the merchant, not the acquirer. Consequently, many acquirers dismiss the registration process so long as the gateway is on Visa’s Global Registry of Service Providers. Both card networks, however, require that acquirers enter into agreements with any third party servicer. Visa Rule 10.2.2.2 requires the written agreement to include minimum standards: policies, procedures, service levels and performance standards. Mastercard delineates sections that must appear in third party agreements and mandates their existence.
Despite this, non-compliance is rampant. Most acquirers rely on the Visa Global Registry. If the third party is registered in the appropriate category, certified to the acquirer’s authorization center and is PCI compliant, they allow merchants to be serviced through the third party. The risk is small. Should a breach or intrusion occur, however, and the acquirer is found to be using a third party without registration, the card networks could impose their fee structure.
Further, if an acquirer is not tracking third parties, it has no way to validate a third party’s compliance, and if issues arise with a specific third party, it won't be able to identify and correct impacted merchants.
If instead, the acquirer has a contract with the third party, upon notice of a violation of card network rules, the acquirer can invoke its rights under the contract and compel compliance or force the severance of support for merchants. Acknowledging the difficulty in carrying this out, having an agreement allows the acquirer to work through the issue(s) methodically and consequentially.
It's increasingly difficult to know the ultimate acquirer for every transaction. Payfacs and ISOs have assumed greater responsibility, and the card network rules have afforded them more autonomy. Understanding the rules allows acquirers to best position their merchants and third parties to minimize costs, liability and compliance while maximizing utility and abilities. 
As founder of Humboldt Merchant Services, co-founder of Eureka Payments, and a former executive for such payments innovators as WePay, a division of JPMorgan Chase, Ken Musante has experience in all aspects of successful ISO building. He currently provides consulting services and expert witness testimony as founder of Napa Payments and Consulting, www.napapaymentsandconsulting.com. Contact him at kenm@napapaymentsandconsulting.com 707-601-7656 or www.linkedin.com/in/ken-musante-us.
The Green Sheet Inc. is now a proud affiliate of Bankcard Life, a premier community that provides industry-leading training and resources for payment professionals. Click here for more information.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.
Prev Next
