The Green Sheet Online Edition
December 8, 2025 • 25:12:01
Legal ease:
Flying PAN meets traveling MID: Connecting the dots between untethered payment accounts
In our industry's "before times," a cardholder would present their physical card at a retailer that processed the card's primary account number (PAN) using a point-of-sale device programmed to accept cards for the associated merchant identification number (MID). Not anymore.
Today, the person using a card is often shopping online with a digital card (PAN) perhaps provided to them by an employer for expense reimbursement. The digital card is then presented to a merchant that might be using a payfac to process the card, through a string of APIs, engaging with a MID that the merchant doesn't even know exists.
The decoupling of the typical cardholder from their typical card and the decoupling of the merchant from their typical MID has enabled countless new business models, but they also present risks and legal challenges that participants should perhaps consider.
Not your grandpa's card
How many payment cards do you have in your phone's wallet? I'll guess there are more than just a couple. Of course there are standard business and personal credit cards and debit cards, but there are also likely to be a suite of other cards with no physical equivalent. For example, a retailer issues a $10 voucher redeemable anywhere as a gift to shoppers; that card might be a single-use, branded, prepaid, digital card that works like any other card, just with a $10 limit.
Perhaps your business has an expense management system that issues digital cards to you for specific expenses, like software subscriptions, travel or other business expenses.
For each of the novel cards out there, it helps to consider who actually is the cardholder of the card. Most users would not pause to consider that question, but payments professionals might take an interest to help assess the related risks. Consider an employee expense reimbursement card program. The list of participants in a program like this is long and often includes the following:
- Issuer: This is the bank that issues the card under a license agreement with a card brand network. The issuer is also party to the cardholder agreement with the cardholder.
- Program manager: This is the business that has become registered as a card issuing ISO with the card networks. Remember, as the regulated financial institution issuing the cards, the issuer remains entirely liable for legal compliance of the card program including issues like fee disclosures, transaction monitoring and AML/OFAC compliance. The issuer then hires a program manager to assist in marketing and supporting the card program (like an ISO running an acquiring program).
- Program manager agent: A bit like agents in the acquiring industry, program managers sometimes engage agents to drum up business. Depending on how compliant the program manager remains, these agents might start to look more like program managers themselves – sometimes confusing customers as to who is actually supplying the cards.
- Cardholder: Here is where the lines are often blurred. Traditionally, we would never doubt the identity of the cardholder. However, in business expense reimbursement programs, the cardholder is usually, technically, the business that engaged the program manager to supply cards to their employees. However, the employee using a card in the program might see their own name on the (digital) card thereby introducing an element of doubt as to who the cardholder really is. Legally, the identity of the cardholder is very important because in most expense reimbursement programs, the program manager and the issuer log only a business as a client and cardholder; they perform less underwriting on the individual users of the card.
- Card user: If your employer sends you on a business trip with a (digital) card that has your name on it, you might be forgiven for believing you are the cardholder. The issuer might not even know you are using the card. It is most likely that the issuer boarded your employer as a cardholder.
- Digital wallet service: Phones have digital wallet applications that store digital card credentials. When you save the expense card to the digital wallet app, you are using that app to store the card.
- Merchant: This is the merchant (for example, a hotel) that accepts the card as a payment method.
Payments professionals can benefit from taking a moment to consider who plays which role in the above. For example, if you are an ISO involved in traditional acquiring and you want to start offering your merchant payment cards, it is beneficial to consider whether you are going to resell cards for an issuer, a program manager or an agent of a program manager. Remember, not everyone has the legal right to sell what they are selling.
The upshot on the issuing side is that cards presented to merchants are sometimes only tenuously connected to the person making the purchase. When data breaches, fraud, returns or chargebacks occur, it might be difficult to unwind a transaction that has air gaps between the traditional rails and what is happening in the real world.
MIDs on the move
Readers of The Green Sheet are well aware that a MID used to acquire a transaction may have been supplied by an agent of a payfac powered by a string of APIs, such that the line of sight between merchant and acquirer is fuzzy.
This is problematic and potentially illegal, but very easy to implement with contemporary technology. A merchant may be boarded with an acceptable underwriting profile, but they may allow their MID to be used by a third party to process transactions that would be prohibited under the terms of the applicable merchant processing agreement.
The payfac and acquirer might never know because they simply receive API calls with cardholder transactions that might be somewhat disconnected from the actual shopping cart and transactions.
The increasing dissociation of issuers from cardholders and acquirers from merchants is overflowing with AML, legal, fraud and other risks. Payment professionals can mitigate these risks by learning exactly who is who. 
In publishing The Green Sheet, neither the author nor the publisher are engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For further information on this article, please contact Adam Atlas, Attorney at Law email: atlas@adamatlas.com, Tel. 514-842-0886.
Notice to readers: These are archived articles. Contact information, links and other details may be out of date. We regret any inconvenience.
