GS Logo
The Green Sheet, Inc

Please Log in

A Thing
View Archives

View flipbook of this issue

Care to Share?

Table of Contents

Lead Story

New approaches to vertical markets: Think horizontally

Patti Murphy


Industry Update

News Briefs


ISO Metrics


Navigating the POS library

Dale S. Laszig
DSL Direct LLC


Street SmartsSM:
MIA in EMV compliance: Card brands

Steven Feldshuh
Merchants' Choice Payment Solutions East

7 habits of highly ineffective ISO recruiters

Mike Ackerman
DigiPay Solutions Inc.

ISO technology contracting

Adam Atlas
Attorney at Law

Company Profile

Frates Insurance & Risk Management

New Products

Mobile ordering app delivers big brand mPOS experience

Apptizer Inc.


First, determine your objective


Letter from the editors

Readers Speak

Resource Guide


A Bigger Thing

The Green Sheet Online Edition

September 25, 2017  •  Issue 17:09:02

previous next

ISO technology contracting

By Adam Atlas

As with most businesses today, technology is a cornerstone for contemporary ISOs. This article considers some legal issues that are specifically relevant to technology contracts for ISOs.

PCI compliance

Payment Card Industry (PCI) Data Security Standard (DSS) compliance means different things to different people. To a small merchant, it might mean an annual self-assessment questionnaire coupled with a compliance or non-compliance fee.

An ISO that has a technical understanding of PCI compliance is at an advantage, because it can source and supply merchant-appropriate solutions. For example, a merchant who needs to collect and store cardholder data, but does not have PCI-compliant systems, will need to procure access to such systems. The ISO is perfectly situated to be the intermediary between the merchant and possible suppliers.

Once an ISO fully understands the cardholder data processing needs, and the corresponding PCI implications, it is in a position to select and procure the right solution. That said, not all suppliers are aware of the specific level of their own PCI compliance, and some do not even know why they need to be compliant. The ISO can therefore fulfill an educational function not only for the merchant – but also for suppliers – to make the best fit between them.

When a draft IT services agreement is finally put together in support of a PCI-regulated project, the ISO should review it to see what kinds of representations are made as to the PCI compliance of the provider and its services. It might also help to have the merchant or ISO's own PCI assessor look at those representations to see if they satisfy the needs of the merchant or the ISO.

The point here is that some IT services agreements are simply inadequate as to the PCI needs of ISOs and merchants, and they should be tested for that requirement before signing.

Backup, disaster recovery, necessary policies

Disaster recovery, backup, source code escrow, service level commitments and access to information are but a few themes to address in common-sense policies that ISOs should expect from IT suppliers.

This does not mean that the ISO needs to read all of the policies. Under the agreement between the ISO and its IT provider, it makes sense to have the IT provider represent that it has these policies in place and that it meets whatever standard the ISO requires of them.

Representations as to security

The PCI DSS is convenient, because it allows the parties to point to an objective set of standards that are not only identifiable but also subject to certification from a small army of PCI certification services. Outside of the PCI standard, IT suppliers are expected to implement measures to ensure that their data is not compromised or corrupted. ISOs should consider representations by IT suppliers as to the security measures they take to ensure that the ISOs can expect performance that is commensurate with their needs.

When there is a security breach involving consumer data, a whole suite of federal and state laws can apply to the parties. When parties are at the contract-negotiation phase, it is helpful to consider how they will each allocate their respective responsibilities in the event of a security breach. It's also worth asking the IT company to inform the ISO of a breach in its systems that has nothing to do with the ISO – but that could nonetheless be informative as to the solidity of the IT provider.

Indemnification in IT agreements

In a perfect world, ISOs would obtain indemnification for all breaches or other wrongdoing by their IT suppliers. In the real world, IT suppliers will try to limit their obligation to indemnify to a few big-ticket items including:

ISOs should pay close attention to limitation of liability clauses in IT supply contracts to see if they meet with their commercial needs.

In publishing The Green Sheet, neither the author nor the publisher is engaged in rendering legal, accounting or other professional services. If you require legal advice or other expert assistance, seek the services of a competent professional. For further information on this article, email Adam Atlas, Attorney at Law, at or call him at 514-842-0886.

Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.

previous next

Spotlight Innovators:

North American Bancard | Simpay | USAePay | Impact Paysystems | Board Studios