burning issue for the bankcard industry is compliance with the Visa U.S.A. and MasterCard International rules and regulations, but how well are most businesses addressing it? Sure, they probably think and talk about it frequently, but if the card Associations come knocking, would they find a truly compliant organization? Does it take a crisis for an ISO or processor to make compliance a priority?

"We're big on being proactive," said David H. Press, Founder and President of Integrity Bankcard Consultants Inc. (IBC), a consultancy that provides compliance, risk and operational reviews for banks, ISOs, merchants and processors. "We want to help in making sure that they are in compliance with the rules and regulations, that their contracts are sound and that they protect their interests."

Behind IBC are two partners, Press and Greg Brown, two long-time colleagues, each with a different area of expertise. They originally worked together for Peach Tree Bancard Corp. in Downers Grove, Ill. Brown served as general counsel, and Press managed the security and investigations unit. Combined, they have more than 40 years' experience in the bankcard industry.

When Press founded IBC in July 2000, Brown later joined him as Vice President.

From PI to Bankcard Consultant

Press also has another business; he is a licensed private detective focused on financial crimes such as identity theft, merchant fraud and scams perpetrated in the bankcard industry.

The idea to create IBC actually came from a bank executive who had hired Press to investigate something amiss at the bank. Press suggested hiring a consultant to review the bank's operations because he discovered that large dollar losses from merchant fraud were occurring.

"He told me, 'Start a consulting company, and I'll hire you,'" Press said. "At first I thought he was joking, but in a subsequent call he asked again: 'I've got it approved for you to come out to our center and to do a review.'

"Now," Press said, "about 90% of my workweek is dedicated to our consulting business, and 10% is dedicated to the detective agency. Before it was 90/10 the other way. Since 2000, it's shifted so now the only investigative work that we do is for our current clients that need, for example, an in-depth background investigation on an employee or on the principals of a new ISO."

IBC's primary focus is on back-end operations, such as underwriting, risk and chargeback processing. It assists start-up ISOs in finding the right processor and setting up their back-end procedures. The company also performs ISO/bank compliance reviews and works with merchants to eliminate chargeback problems.

As an attorney, Brown brings to IBC his specialization in the bankcard field. Clients ask IBC to review contracts and agent and ISO agreements.

"There are a lot of contracts out there, and there are a lot of bad contracts out there," Brown said. "We often work with clients' lawyers rather than directly with the clients. We end up being expert witnesses a lot." "The bankcard industry tends to be a very litigious business," Press said. "We offer all ends of the spectrum, everything from operational, risk and compliance, to the legal aspect, which gives us an advantage over a lot of our competitors."

What IBC Is Not

Although IBC provides a spectrum of services to customers, it does not certify businesses for compliance with the card Associations' data security standards (although it does refer inquiries about this to another company). It is also not an ISO.

"Although we've been approached by some of our banking clients and processors [about becoming an ISO for them], we've never crossed that line because it limits our objectivity ... it would become a conflict of interest," Press said.

How IBC Works

IBC provides compliance reviews of ISOs for members, processors and insurers. What should processors that are ready to get serious about compliance expect from an IBC review?

IBC tailors its compliance reviews for card Association requirements along with the client's concerns and risk tolerance. It reviews the ISO's procedures to ensure that it is in compliance with all Visa and MasterCard ISO service provider risk standards. These include:

• Compliance with the minimum standards and registration procedures members must follow in regard to ISOs.

• Use of financial reviews, onsite ISO reviews and background investigations of the ISO, its principals and employees as required.

• Adequacy of the security controls the ISO has in place including the auditing process, management and exception reporting and cardholder information security practices.

• Existence of all applicable account information security standards as set forth by Visa and MasterCard.

IBC performs most of its initial work on site. "The only way to see how the factory is running is to go to the factory," Press said. "We normally spend one to two business days on site. We see what they have in place and how they handle their day-to-day business.

"We gather up all the information, we may request additional documentation, and then back here in Illinois we prepare a fairly detailed report on our findings, with recommendations, and then send a copy to the client."

He gave the example of an operational/risk/compliance review for an ISO. IBC reviews all the business's interworkings, from applications to sales, underwriting, risk, merchant monitoring, customer service and chargebacks. Its report includes what the ISO is doing well and the areas in which it needs to improve in order to become compliant. IBC will also offer its assistance in making those improvements.

"Most of the assignments that we do are flat rate for the day; there are no hidden charges," Press said. "They get an agreement that says, 'this is what it will cost you for us to do the job.' We do have other clients that we charge hourly rates because they are more long-term, but the actual [compliance] reviews are for a specific time period and for a specific dollar amount."

Press works closely with clients that have risk or operational issues, and Brown works with clients that have legal issues or contract issues; however, some clients require the expertise of both. The biggest challenge IBC faces, Press said, is getting clients to understand that they need to operate within the card Associations' rules and regulations. Certain practices might make good business sense, but it's not sensible to do things that way if the business is violating the rules.

The card Associations will fine businesses in violation of their rules at least $25,000. "The card Associations don't call them up and say, 'We are going to fine you $25,000 next week,' they just take the money out of that members' interchange for that day," Press said. An amount like that is a lot of money for a smaller ISO, and this can put it in a crisis situation.

"A lot of companies and a lot of backroom personnel don't want to have consultants come in," Press said. "People get a little afraid of finding out where their deficiencies are.

"Every time we've done a review, we've found problem areas. There has not been one bank, ISO or merchant that we have reviewed in the last five years where we haven't found some serious issues. Some are a lot better run than others ... but it's unusual for an ISO whose primary function is selling to have someone on its staff who truly understands the card Association rules. That's where we come in."

'An Ounce of Prevention ... '

In the past year, IBC has seen an increase in the number of requests for compliance reviews.

"I think it's because ISOs are realizing that they may not be in compliance, and they've heard of the card Associations levying fines on other ISOs," Press said.

"They just don't want to get in the position where they are forced to pay a $25,000 fine for something that would cost a lot less to have reviewed and to fix it."

Usually most of the calls the company receives are because a crisis has already occurred. "People don't usually contact us until it's too late," Brown said. "It's panic rather than 'planic.'"

Unfortunately, most companies are reactive instead of proactive, Press agreed. "We get a lot of calls from people who have already been fined or who have already had a problem. Once you get your hand stuck, sometimes it's hard to extricate yourself," he said. "It goes back to that old saying: 'An ounce of prevention is worth a pound of cure.' When you think about the potential fines and/or the additional ramifications that the card Associations can place, the cost [of prevention] is small."