Independent sales organizations and acquirers have long known the value of performing their due diligence when boarding new merchants. That’s become even more important as law enforcement turns to the payments industry to find merchants that run afoul of consumers and the law.
That has put more pressure on ISOs and acquirers to ferret out potential misbehaving merchants. Operation Choke Point is an effort by federal financial regulators designed to hold banks and payment processors responsible for any illegal acts by a merchant or independent sales organization.
Payment-data security provider ControlScan Inc. says it has a service that can help in that endeavor. Launched earlier this month, the SiteWatch service electronically analyzes a merchant’s Web site and application information to check for potential issues, such as selling different products than specified on the application. Atlanta-based ControlScan is working with EverCompliant, an Israel-based company, which developed the technology.
Despite the intense review to which merchant-processing applications are subjected, some merchants still find ways to hide information, says Ron Teicher, EverCompliant founder and chief executive. “The problem is it’s hard to detect bad merchants hiding their moves,” Teicher says.
Many times, the Web site listed on the application passes scrutiny, but the merchant has another site with problematic activity. That could elude reviewers because they are unable to connect the two sites. That could be because, for example, instead of electronically passing along surreptitiously obtained payment data, one criminal may save it to a portable storage device and hand it off to a cohort, he says. And other merchants may not disclose they have an e-commerce site. Another merchant might aggregate other merchants under its merchant identity, a prohibited action for many. “The acquirer didn’t know there was an issue,” Teicher says. “They got an alert.”
ISOs and acquirers send their merchant applications to SiteWatch, which analyzes them using automated systems and within a day returns a response indicating if the merchant is OK or there are issues. In the event of the latter, EverCompliant provides a detailed report on the specific red-flag issues and suggestions on the steps to take, Teicher says.
Cost of the service includes an undisclosed annual fee and a monthly fee based on the volume of reviews, says David Abouchar, ControlScan senior director of corporate development.
Taking advantage of such tools could be a wise move for ISOs and acquirers, says Howard Herndon, an attorney specializing in payments at Waller Lansden Dortch & Davis LLP, Nashville, Tenn., especially given the shift in law-enforcement tactics.
“It’s clear that utilizing processors to drive compliance is going to be looked at in the event of an investigation,” Herndon says. This affects acquiring banks and their ISOs, he says. “It’s real,” he says. “It’s because the acquiring banks are coming under scrutiny as well as the individual processors becoming targets. You can see the acquiring bankers are going to look to their ISOs to see if they have these systems in place because they don’t want the exposure,” he says. “And the individual ISOs want it because they don’t want the liability.”
Using this service and others to monitor merchant activity is essential, Herndon says, especially because “we haven’t seen the aggressiveness of the government like this before. You can’t control that, but you can control putting into place systems that offer layers of protection.”