ETA UNIVERSITY MARCH 19, 2015
Deana R ichRICH CONSULTING, INC.
Edward A. Marshal lARNALL GOLDEN GREGORY LLP
Payments 101: Overview of the Payments Ecosystem
The Ecosystem and its Components
Open-Loop Model
Card Networks and Member Banks
Card Networks and Member Banks
Card Networks Visa, MasterCard, and
Discover (see also American Express)
Provide infrastructure and brand acceptance
Clear and settle transaction information (not funds)
Establish interchange system and set rates (paid to issuer)
Accept dues and assessments Establish and manage
compliance with operating rules and regulations
Card Networks and Member Banks
Member Banks (Acquiring and Issuing) Regulated financial
institutions Must comply with
network/brand rules and regulations
May issue cards and/or acquire transactions directly
Card Networks and Member Banks
Issuing Banks Consumer “on-ramp” to
the payments ecosystem Contract directly with
consumer (cardholder); bill and receive reimbursement from cardholder
Receive interchange fees from acquiring bank
Settle transactions with acquiring banks (via networks)
May also offer prepaid
e.g., JPMorgan Chase & Co.; Capital One; U.S. Bank
Card Networks and Member Banks
Acquiring Banks Merchant side of payments
ecosystem May sponsor agents,
including processors and
ISOs (“acquirers”) Responsible for compliance
with card networks’ rules
and regulations Carry and manage ALL risk
associated with agents and
their customers
(merchants)
e.g., BMO Harris Bank; Wells Fargo; HSBC Bank
The Acquirers
The Acquirers
“Acquirers,” a Versatile Concept Acquiring Banks
Processors
ISOs
Sub-ISOs
Sales Agents
Merchant “on-ramp” to the
payments ecosystem
Contract with, bill fees to
merchants
Collect interchange fees from
merchants through “discount rate”
Must comply with networks’ rules
and regulations
The Acquirers
Processors Provide connectivity to
networks for purposes of
authorization (front-end),
clearing and settlement (back-
end)
Provide various levels of back-
office support
Execute agreements with
Member Bank, ISOs
Can, and frequently does, also
function as an ISO (recruiting
merchants through salesforce) e.g., First Data; TSYS; Global Payments; Heartland; Worldpay
The Acquirers
ISOs and Sub-ISOs Independent Sales
Organizations
Sponsored by Acquiring Bank
Sell payment acceptance access
to merchants
May also provide various levels
of back-office support (e.g.,
customer service, tech support,
statements and reporting) and
additional features
May have downstream agents
(sub-ISOs or sales agents) also
selling for them
The Acquirers
Retail (Non-Risk-Bearing)
ISOs Entrust risk monitoring and
underwriting to processor or
other ISO
Wholesale (Risk-Bearing)
ISOs Conduct own underwriting and
risk monitoring, subject to
oversight
Indemnify banks and
processors for losses related to
returns, chargebacks, fraud,
and data breaches
Banks and processors maintain
liability for all downstream
activity
A Day in the Life of a Transaction
A Day in the Life: Payment Authorization
A Day in the Life: Settlement
Interchange fees paid to issuing bank
Additional fees collected by processor, acquiring bank, and ISO for services
Ecosystem Risk
Minimal Cardholder Risk
Regulation E Regulation ZCredit CARD Act of
2009Chargeback
Protections
Chargebacks
Dissatisfied consumer can contest a charge (e.g., unauthorized transaction, did not receive purchase, defective purchase, deceptive merchant conduct)
Issuing Bank removes from statement; recoups money from Acquiring Bank
Acquiring Bank recoups from Processor and/or Risk-Bearing ISO, and, ultimately, Merchant*
Card Networks resolve disputes regarding chargeback validity (consumer friendly)
Ecosystem Chargeback Risk
Merchants may lack
financial wherewithal to
pay chargeback(s)
Thus, Acquiring Bank,
Processor, and/or Risk-
Bearing ISO may
shoulder responsibility
Importance of
Underwriting, Risk
Monitoring, and
Reserves
*
Liability Value Chain and Industry Oversight
Liability Value Chain Card Networks Member Banks Risk-Bearing ISOs Merchants
Industry Oversight Card Network Rules Industry Guidelines
(ETA) Bank Regulators Non-Banking Regulators
Data Breach Protection (and Risk)
PCI DSS Evolving standards to keep
data secure Validation and compliance
testing required by PCI
Council and card networks
(by merchant level)
EMV: Security at POS
Encryption: Security for
Authorization Transmission
Tokenization: Security
Post-Transaction
Data Breach Risk at Merchant Level
Consumer Notification (State
Law Patchwork)
Card Network Liability Forensic investigations Non-compliance liability
assessments Card reissuance cost, data
breach assessments, and fraud
reimbursement schedules
Legal Risk Consumer and shareholder
litigation FTC action
Data Breach Risk within the Ecosystem
Accepting merchants and
consumers are largely
insulated from counterfeit
card fraud loss
Acquiring Bank, Processor,
and/or Risk Bearing ISO
bear ultimate liability for
Fines, Assessments, Reissue
Costs (by merchant level)
Issuing Bank bear risk for
remainder
Impact of EMV
© 2015 | All Rights Reserved
Deana RichPresident
RICH CONSULTING, [email protected]
818.787.5837
www.deanarich.com
Edward A. MarshallPartner
ARNALL GOLDEN GREGORY [email protected]
404.873.8536
www.agg.com
Questions