By Nancy Drexler
Merchant level salespeople (MLSs) used to laugh at or simply ignore payments industry compliance regulations. They believed that as long as they didn't use the MasterCard Worldwide or Visa Inc. logo, they could call themselves any name they liked. They were wrong, but they got away with it - until now.
Scrutiny in our industry is growing. Merchant complaints (sometimes resulting in lawsuits), the notorious Wal-Mart Stores Inc. case and a handful of large cardholder data security breaches have all boosted the need for stricter Payment Card Industry Data Security Standard compliance.
In this environment, the major card brands (formerly card Associations until MasterCard and Visa became publicly traded companies) are placing responsibility on the banks to keep within compliance. And if lack of compliance is discovered, heavy fines are handed down. Not surprisingly, the banks are passing the buck to their processors, and they, in turn, are likely placing the onus on the backs of their registered ISOs.
You can guess whose shoulders it falls on from there.
As far as the card brands are concerned, an ISO is anyone who does the following:
In the eyes of the card brands, if you are not registered with them, you are not truly an ISO. Therefore, you are not authorized to sell credit or debit card processing services.
Registered ISOs are required by the card brands to carry their bank branding on marketing materials from Web sites to business cards to e-mail addresses. Processing banks stipulate exactly how their individual bank brands should be communicated.
The branding requirements have three components:
Remember, these are the rules set by the card brands. The banks then stipulate exactly how their names should be used.
For instance, SignaPay's bank strictly prohibits its name from being attached to phrases such as "partnered with," "affiliated with," or "a division of." Instead, it asks registered ISOs to use one of a few prepared lines, including "(ISO name here), a registered ISO in association with (bank name here), N.A., city and state."
If the MasterCard or Visa logo is used, banks also govern where, in position to the logo, the tag line must appear.
According to the card brands, if you are not registered, you are not authorized to sell products and services on your own. This means, for example, that SignaPay offices and MLSs must use SignaPay's name when they answer the phone, make business cards and have any other communication that is used to solicit, handle or even discuss merchant processing. This includes applications, forms, guidelines, marketing materials, telemarketing calls, e-mails and so forth.
Many nonregistered ISOs mistakenly believe they can use their own business names as long as they do not use them in conjunction with the Visa or MasterCard logos. This is not true. If unregistered ISOs use their own business names when talking about rates or fees, giving out their business cards, handing out brochures, or giving applications to merchants to solicit card processing, they are conducting business out of compliance.
Even e-mail addresses require compliance. Sure, MLSs can use any e-mail name they choose. But if they attempt to sell processing services, their e-mail addresses must be under the name of a registered ISO or processor and contain the bank brand.
ISOs and MLSs who are noncompliant won't fly under the radar for long. The card brands are doing spot checks. They randomly call offices, visit Web sites and have secret merchants (much like secret shoppers) request contracts or solicitations. Additionally, unhappy merchants often call the card companies to complain. This makes it pretty easy to identify offending ISOs and MLSs.
The card brands require their sponsor banks to enforce the rules as they apply to compliant marketing. The banks require their registered ISOs to do the same.
For example, if I, as part of SignaPay, know that one or more of my ISOs are marketing in their own name, it is my responsibility to stop them. And if I don't, an unhappy merchant can alert the card brands, which will track down the provider of the marketing materials and eventually find the unregistered ISOs or MLSs involved.
Historically, the card brands would call the sponsor banks first and strongly urge them to get their ISOs and MLSs into compliance. More recently, they have gone directly to violators who, if lucky, get a stern warning. If not so lucky, or if this is not the first notification, it is likely violators are fined. Then the card brands give a heads up to the bank.
If an unregistered ISO or MLS is found to be conducting business out of compliance, the sponsor bank will be found in violation and subject to disciplinary action. Fines set by the card brands start at $25,000 for the first offense and can go up to six figures.
If a bank is fined by Visa or MasterCard, it is fairly certain the damage will be passed along to the registered ISO. And get this: The amount of the fine depends on how many times the bank has been found in violation. Even if this is the first violation for the ISO or MLS, the amount of the fine could be higher if it was not the first time the bank has been noncompliant.
If you are an ISO who has paid the money to be registered, you have earned the right to do business in your registered business name. Chances are you've invested a substantial amount of time and resources building a brand.
When unregistered MLSs work for you, they benefit from your investments. In exchange for that privilege, they must agree to uphold your commitments and responsibilities and abide by the card brands' rules and regulations. And it is your responsibility to make sure they do so.
Most sponsor banks want to see samples of all marketing materials their registered ISOs use. Some banks want to approve materials before they are created; others simply require all materials used during a given period are submitted in bulk as part of a yearly review process.
Registered ISOs should create a similar policy with their MLSs. For the sake of their brands, ISOs should see all communication that goes out under their names. For the sake of compliance, ISOs should see everything MLSs are doing to conduct business, just in case something is done under the wrong name.
Some registered ISOs make it simple by providing all marketing materials to their MLSs. This includes business cards. But random Web site checks are also encouraged.
Another helpful strategy is for registered ISOs to add a marketing disclaimer to their reseller agreements that states, in effect: Here are the marketing guidelines established by the card brands. We are compliant, and we expect you to be. If you are found to be noncompliant, you may be subject to fines.
Forewarned is forearmed.
Note: Special thanks to Danette Smith for her invaluable help compiling and clarifying information for this article.
Nancy Drexler is the Vice President, Marketing for SignaPay Ltd., an ISO headquartered in Dallas. Reach her at firstname.lastname@example.org.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next