Payments Compliance 101 for VARs, Gateways, and ISVs

PCI DSS Compliant

Payments Compliance 101 for VARs, Gateways, and ISVs

The payments industry evolves almost daily with the introduction of new technologies and shifting consumer preferences. While in the past there was a well-understood hierarchy of service providers, such as banks, processors, and independent sales organizations (ISOs), a new breed of technology companies, including value-added resellers (VARs), integrated software vendors (ISVs), gateways, and payment facilitators, are increasingly building payments technologies into their software platforms to compete more directly with traditional payments companies.

Expanding more directly into payments offers a number of benefits – enhanced revenue opportunities, expanded engagement with customers – but can also create potential legal and regulatory risks. This article highlights key legal and regulatory considerations and potential pitfalls for technology companies seeking to expand into traditional payment processing activities.


Merchant Onboarding, Underwriting, and Monitoring

Federal regulators often hold payments processors and ISOs liable for the fraudulent activities of their merchant clients. Any technology company seeking to enter the payments space more directly must understand, and implement appropriate controls for, this risk.

The starting point for compliance is the implementation of a compliance management system (CMS) that covers the technology company’s operations, services, and compliance with applicable laws. Within this system, key areas of focus should cover merchant onboarding and due diligence, and ongoing monitoring responsibilities as dictated by contractual requirements with a processor or ISO, card network operating rules, and regulatory requirements.

As technology companies become more involved in offering payments services to merchants, regulators will expect these companies to implement compliance protocols similar to those used by processors and ISOs. At a minimum, regulators will expect a company with merchant relationships to engage in basic “Know Your Customer” activities, even if the company is not directly subject to federal anti-money laundering regulations. Next, any missed red flags in merchant due diligence could expose the ISV, VAR, or payment facilitator to business, reputational, and law enforcement risk.

Consumer protection law enforcement actions brought over the years by the Federal Trade Commission (FTC) and the Consumer Financial Protection Bureau (CFPB), in particular, outline these red flags, which may include questionable business practices in the merchant’s sales processes, incomplete or inaccurate application information, consumer complaints about the business, and results of a site visit, among many others.

Once a merchant is given access to the payments system, the technology company should keep a close watch on the merchant’s activities. Banks, processors, and ISOs typically monitor processing metrics such as sales, refunds, and chargeback activity. While a VAR or ISV may not have access to such detail, today’s regulatory environment demands that payments companies take a deeper look into each merchant’s marketing and sales practices even after the merchant is up and running.

This review may involve a periodic check for web site changes, consumer complaints, and other signals that a merchant’s business operations are different from what was expected. Regulators will expect VARs and ISVs to perform these types of checks, even if they are not required to do so contractually.

Fortunately, there is industry guidance available to help ISVs, VARs, and payment facilitators get up to speed quickly on regulatory expectations and best practices. In particular, the Electronic Transaction Association (ETA) has developed Guidelines on Merchant and ISO Underwriting and Risk Monitoring for its members in the payments industry, which serve as a comprehensive resource for those seeking tools and strategies for enhancing policies and procedures. ETA has also published Payment Facilitator Guidelines to help members in the fast-growing payments facilitation industry understand risks in emerging markets and business verticals most apt to use a payment facilitator model for their payment needs.

Payment facilitation, in particular, is a hot area in payments right now, especially within the VAR, ISV, and gateway industries. On one end of the spectrum, the payment facilitator model permitted by Visa and MasterCard allows registered facilitators to process transactions for known and vetted sub-merchants. Merchant aggregators essentially permit small businesses to accept credit and debit card transactions without having to set up their own merchant account. Instead, the merchants rely on the aggregator’s merchant account to submit credit and debit transactions through the card networks. This requires the payment facilitator to enter into a sub-merchant agreement and perform screening and underwriting on each sub-merchant to ensure the merchant is engaged in lawful activity and compliance with card brand rules as well as the requirements of the acquirer.

On the other end of the spectrum, unauthorized transaction laundering or “factoring” involves the undisclosed processing of third-party transactions through a merchant account (normally to disguise unlawful conduct). Factoring, a form of money laundering, violates state or federal laws that prohibit money laundering, especially if the transactions being factored are linked to illegal activities.


Data and Privacy

Another area that has received significant regulatory scrutiny in recent years is data privacy and security. Electronic payments systems may allow merchants and payments processors to access sensitive consumer data, including employee information, social security numbers, tax identification numbers, and company sales data. Access to this information, and the ability to provide data analytics, is one of the “value propositions” that payments companies seek to offer to their merchants. Given this access to sensitive data, however, payments companies need to ensure they have robust data security and privacy programs in place.

This is of primary concern, as the Federal Trade Commission and the Consumer Financial Protection Bureau (CFPB) have turned their enforcement spotlight on data security practices, including in the payments industry. Last year, for example, the Consumer Financial Protection Bureau (CFPB) brought its first data security enforcement action against a payments processor (see In the matter of Dwolla, Inc.). The CFPB’s order did not include any allegations of a data breach, or even a consumer complaint. The action was the result of a CFPB assessment of the inadequacy of the payments processor’s data security measures.

A natural starting point for compliance is ensuring compliance with the Payment Card Industry Data Security Standard (PCI DSS), a requirement for companies that participate in the payments ecosystem (and, increasingly, a standard used in other industries). Nevertheless, PCI DSS alone may not satisfy a government inquiry into data security standards. The government will dig deeper to see whether the company had appropriate safeguards in place, to look for any deficiencies or areas for improvement highlighted by independent audits or assessments in years past, and to determine whether the company implemented steps to remediate any such deficiencies or areas for improvement.

Article originally posted by:

BASYS Processing as a business partner 

If your processor doesn’t offer seamless integration, an industry-leading revenue share, and personal service for your users, please call BASYS Processing at (800) 386-0711. Let’s talk about creating a business partnership that will help you meet and exceed your goals. 

BASYS Processing features: 

• User-friendly API allowing for seamless integration into your software.
• Competitive revenue share, and easy-to-read revenue share reports tracking growth.
• Personalized customer solutions including automated recurring billing, secure customer vault, and more!
• A friendly, live voice will answer the phone when you or your customers call; no automated phone systems.
• In-house PCI Compliance team to walk your customers through the process step-by-step, improving security and reducing costs.
• Access to our marketing department, plus a full suite of marketing materials, blogs and videos 

About BASYS Processing 

BASYS Processing provides credit card and debit card processing services, plus solutions that include terminals, virtual terminals, e-commerce, mobile, and point-of-sale, customized to fit any need.  Banks, associations, and software partners depend on us to strengthen their reputations and relationships with their customers by providing remarkable service paired with ultimate flexibility and pricing. Merchants depend on us to make accepting credit cards and debit cards convenient, safe and affordable. BASYS was founded in 2002 on one philosophy: to take care of our merchants, partners, and employees so they never want to leave. We are dedicated to working one-on-one with our customers to design the perfect solution. BASYS is Personal Payment Processing. 

Learn more at, and connect with us online at: