By Adam Atlas
Attorney at Law
Gateways carry payment transaction data between cardholders, merchants, POS devices, processors, banks and payment networks. Until recently, gateways were perceived as the dull plumbing of payment processing, doing the drudgery of maintaining the "pipes" through which payment transaction information travels.
Today, gateway developers and providers are re-imagining gateways as potentially central and even controlling elements of the payment services network. The purpose of this article is to discuss some legal issues that are arising due to the evolving role of gateways.
Payment Card Industry security standards (PCI), which apply throughout the card payment system, are demanding. They prescribe certain levels of technical security compliance that entities must meet if they wish to store cardholder data. PCI is a type of industry self-regulation that makes sense given how much sensitive financial information is flying around between people and businesses.
Most merchants lack the sophistication to build PCI-compliant data collection, storage and transmission systems. Enter gateways. When you shop at a typical smaller online merchant and enter your credit card information, that information (if the merchant is PCI compliant) goes directly from your browser to a secure server that is likely nowhere near the merchant.
The information is then routed by the gateway to the payment networks for authorization and other messaging related to the transaction. Gateways have cultivated specific, deep capabilities related to this limited aspect of payments – data storage and communication.
Traditionally, ISOs contract with gateways for the gateway to provide data transport between merchants, banks and payment networks for the benefit of merchants. These contracts take various forms.
In some contracts, ISOs pay gateways to deliver service to merchants. In others, gateways pay ISOs commissions for revenues they earn from merchants for their services. For better or for worse, gateways often try to limit their liability with respect to their services. To be specific, gateways often say to ISOs that if something goes terribly wrong – for example, a data breach of the gateway service – the liability of the gateway is still limited to some multiple of contract fees or a fixed dollar amount.
This is in contrast to the potentially huge liabilities of merchants under merchant agreements if they, or their platform suppliers, incur a breach. When ISOs review their gateway supplier agreements, they should take a close look at the limitation of liability clauses.
These clauses are central to ISO-gateway relationships and should dovetail with terms merchants have accepted. In other words, if a gateway is not promising much in terms of indemnification for wrongdoing, the ISO should also not promise merchants much and should also limit its liability.
Here is where gateway contracting gets interesting. A surprising number of merchants are procuring gateway services but have no signed documents explaining the service terms and who is supplying the services. In some instances, an ISO contracts with a gateway to supply gateway services to its merchants, and the gateway does provide that service. Merchants integrate and are able to process transactions. However, what is sometimes forgotten is presenting merchants with terms by which they are procuring gateway services.
ISOs have two options here. One is to contract with merchants themselves and make promises as to delivering gateway services – with the real gateway being the fulfiller in the background. The problem with this structure is that if the gateway fails, the merchant sues the ISO because it has no contact with the gateway.
The second option for ISOs is to have the gateway contract directly with the merchant so that if the gateway fails, the merchant can sue the gateway and, perhaps, avoid bringing the ISO into the dispute. There remains risk for the ISO, but it is reduced somewhat by the real provider (the gateway) making direct promises to the merchant.
Gateway-merchant agreements, like gateway-ISO agreements, raise the key question of the liability of the gateway for a data breach. Gateways prefer to limit this liability – even if the merchant is left facing enormous fines from payment networks for PCI non-compliance or breaches.
It's safe to say that most participants in merchant acquiring these days have sorted out the issue of chargeback and fraud liability. Most agreements where that is an issue have some language allocating some or all of the liability for chargebacks or fraud to one or another party.
The same cannot be said of data breach liability. This weakness of industry contracts is further complicated by the fact that merchants (unsophisticated normal folks) carry full liability for data breaches that occur in their systems or systems that they use (that is, gateways). Meanwhile, gateways prefer to limit their liability to some multiple (that is, 12 months) worth of fees, which are usually nominal.
The result is an imbalance between who carries the liability for data breach (the merchant) and who is in a best position to limit the risk of data breach (the gateway). ISOs, gateways and merchants need to focus on this issue as I expect it will be the focus of future disputes. This is especially so in interconnected systems where users quickly lose track of who is storing what data and for whom.
Technical prowess of gateways means that they can route transactions to any bank in no time. Naturally, the bank accepting such transactions must have a contract with the merchant that is sending them. However, the ease of integrations through gateways has dissolved geographic limitations on processing and probably poses a challenge for banks to know whether they are processing transactions for local or foreign merchants.
ISOs should reflect on the ever-more integrated matrix of gateways and make sure transactions of a given merchant intended for a given bank actually go to that bank. The ISO has the opportunity to stop excessively creative (or outright illegal) processing activity that has become very easy.
It's a cliché for a lawyer to recommend reading contracts closely. However, with the increasing risk and cost of data breach, a close read of gateway terms may yield a surprisingly large protective dividend.
In publishing The Green Sheet, neither the author nor the publisher are engaged in rendering legal, accounting, or other professional services. If legal advice or other expert assistance is required, the services of a competent professional should be sought. For further information on this article, please contact Adam Atlas, Attorney at Law, by email at firstname.lastname@example.org or by phone at 514-842-0886.
Notice to readers: These are archived articles. Contact names or information may be out of date. We regret any inconvenience.Prev Next