egislative changes afoot pose challenges to both merchants and their acquiring banks. Two issues cast ominous shadows over the industry: The prospect of reporting merchants' gross bankcard sales, and data security bills promising to hold merchants accountable for disclosing data breaches.

Cracking down on retailers that fail to fully report their revenue, the White House has proposed in its 2008 budget to make merchant acquiring banks report it for them. The banks would be required to inform the Internal Revenue Service of the total bankcard reimbursements made throughout the year for each merchant.

"We did not think that was an accurate way to report the gross reimbursement payments," said Barrie VanBrackle, Partner in the business and transactions department of Manatt, Phelps & Phillips LLP and member of the Electronic Transactions Association's (ETA) Government Relations Committee.

When the budget proposal was made public, that committee met to discuss the ETA's stance and strategy. She said the association's approach will be to educate members of Congress on both the impact of the legislation and better ways to obtain the revenue results President Bush is seeking.

"How do we talk to Congress about this?" VanBrackle said. "We don't know what payment system would be the best to provide [gross sales] information." Because bankcard reimbursements are only a portion of a merchant's sales, reporting them may be inadequate to gauge retailers' true sales, she added.

If passed and signed into law, the proposal would raise costs for acquiring banks. "If it costs the banks, they will pass it down to the ISOs, and the ISOs will pass it down to the merchants," VanBrackle said.

Acquiring banks were not surprised by the Bush administration's proposal, which had been rumored for several years, said Nick Baxter, Senior Vice President at First National Merchant Solutions. Yet seeing it in print raised more questions than it answered.

"It's not a question of whether we're for or against it," Baxter said. "We want to understand what it is."

Law of unintended consequences

Acquiring banks need answers to "20 or 30 questions" before they can assess the proposal's impact, and numerous issues must be clarified, Baxter said.

These include the lack of national identification numbers for merchant businesses, variations in fiscal years from company to company, how to account for chargebacks and cash back at the POS, and the particular sales metric that is to be reported.

Add to the list another issue: How much accountability would be placed on banks for the accuracy of the reported data?

Many variables can make the difference between a workable law, versus one that requires banks "to rewrite half the code in your system," Baxter said.

Numerous pending state bills dealing with interchange contain factual inaccuracies regarding the system. As with these bills, banks want to ensure that lawmakers and the IRS truly understand the mechanics of the bankcard system.

"One law we do have is the law of unintended consequences," he added.

When costs exceed benefits

"Some merchants fail to report accurately their gross income, including income derived from payment card transactions," the budget proposal states.

But the wording gives the IRS wiggle room to determine when reporting would not be useful. The IRS would have the authority to make exceptions when costs exceed the benefits.

If passed by Congress, the proposal would go into effect Jan. 1, 2008, and yield a paltry $113 million in extra tax revenue its first year. The estimated tax payments would grow sharply in subsequent years, adding nearly $1 billion to the Treasury in 2011.

With a busy lobbying program already on its plate, the National Retail Federation has not yet taken a position on the proposal, according to J. Craig Shearman, NRF Vice President for Government Affairs Public Relations.

"Our front-burner tax issue right now is working on the minimum wage bill and getting small-business tax relief to compensate for the added payroll costs," he said.

Finding disclosure

Rep. Barney Frank, Chairman of the House Financial Services Committee, plans to introduce legislation that would require disclosure of data breaches involving citizens' private information, including credit card data.

"We don't know exactly when or what form the legislation will take," said Committee spokesman Steven Adamske. "It's on our committee's agenda" and may not be introduced for months.

While specific provisions are not yet defined, Frank has outlined some basic principles, "such as providing incentives to encrypt data ..., allowing people to freeze their credit and not pre-empting state consumer protection laws," Adamske said.

Requiring companies to disclose where breaches originated would create the incentive to encrypt data retained by merchants and others, he added.

The most onerous provision Congress could impose on the industry would be a disclosure requirement, because notification would be difficult without a national registry of e-mail addresses, VanBrackle pointed out.

Retailers or other companies may have no known way to contact cardholders. "I can't imagine [using] regular mail," she said. And with e-mail, legitimate notifications would be suspect due to the onslaught of phishing e-mails making the same claims.

"I get these e-mails once a day," she said. If a cardholder does not respond to a notification, how can companies prove that disclosure has been made?

The Data Accountability and Trust Act, introduced in the House Feb. 7 but unendorsed by Frank, creates the exemption from disclosure he had discussed for data stored in an encrypted form.

This act specifies direct written and/or e-mail notification, if possible. Substitute notification methods include a notice on a Web site belonging to the company or in print and broadcast media.

The Personal Data Privacy and Security Act, reintroduced in the Senate this month, would create exemptions for credit card companies using fraud-prevention techniques.