1000px-road

ETA Expert Insights: What Does it Mean to Innovate Responsibly? Part Two

Brandes Elitch, CrossCheck; Member of the ETA Payment Sales & Strategy Committee

Fintech innovation creates many opportunities and brings new players into the ecosystem, but it also creates poses new challenges and risks. The ETA Payment Sales & Strategy Committee reflected on how payments providers can embrace innovation in a sustainable way. Below, committee member Brandes Elitch explores a key trend in the payments industry: the acquisition of new software players by merchant acquirers. Click here to read part 1. 

Independent Sales Organizations (ISOs) and Merchant Service Providers (MSPs) are laser-focused on making the sale. And this is a very challenging job. Their client, whether an acquiring bank, processor, ISP, vendor, portal, or some other participant in the payments ecosystem, depends on them to create an ongoing revenue stream to enhance the value of their portfolio. Nothing happens until the sale is made! That sale creates revenue growth and market share. Today, successful selling in payments requires ISOs and MSPs to keep up with the latest in payments innovation and offer their merchant customers the tools and products they need to grow their business. By and large, that innovation comes from software; if you want to outsell your competitors, you need to harness the power of value-added software for your merchant customers. But this kind of software-based innovation also presents challenges and risks. This article examines how those risks arise and how merchant acquirers can mitigate them.

Industry data tells us that the average merchant changes merchant processors every three years. Today, merchants want to know how what you are proposing makes their life easier and also creates a better user experience for their customers. This means focusing on the Big Four of UX: convenience, speed, usability, and security. Consumers, their customers, are increasingly focused on privacy and data security. As an ISO/MSP, your job is to deliver on each of these fronts.

The Payment Sales & Strategy Committee frequently observes that “Our industry tends towards disruption!” Moreover, tech-savvy consumers are embracing new payment products, and this forces the merchant to adapt. Let’s take a step back and look at the Big Picture first.

For most of the history of the merchant acquiring industry, going back to introduction of the magnetic stripe card in 1969, merchant acquirers were walled off from the banking world. The acquiring industry as we know it took off around 1980, when issuing banks began to issue magnetic stripe cards. But the emergence of FinTech is changing everything. Just recently we saw the purchase of First Data by Fiserv, a bank core processor. The major card issuing banks are now major acquirers. Whole new methods of payment are emerging; you can pay from your vehicle as you drive (“dashboard commerce,”), pay with a biometric (your fingerprint or your face), buy with cryptocurrencies, and pay with smart devices with internet connections and cloud-based software libraries.

All these new products and services are creating new points of commercial interaction. In many stores, for example, you do not need to wait in line to check out – simply find a store associate with a mobile checkout device and you’re done. These innovations are also creating huge amounts of consumer and transaction data and, consequently, new points of vulnerability to data breach and malicious interference. Who is identifying and managing the risk of these new products?

The answer is that today, the large processors do not develop new products in-house: they buy software companies that have a ready-to-market solution. Examples include TSYS buying iMobile3 and Cayan, Worldpay partnering with Revel, and Elavon taking a minority investment in Poynt. At least at the outset, liability for the new offering lies with the acquired technology company, not the processor. Over time, however, these products have become more complicated and complex, increasing the scope of compliance and introducing new risks. Fortunately, these large, publicly traded firms have well-staffed legal and compliance departments to analyze risk and exposure of new solutions.

Today, your merchant customers will expect your solution to provide analytics and reporting such as general ledger accounting and tax accounting, loyalty and rewards, discounting, time clock and employee management functions, and inventory control. This is where innovation risk really hits home, because many of these offerings were designed and are managed by third parties, over which you, as an acquirer, have limited control. As we will see, innovation risk is really about choosing and managing the right business partners who are writing the software to drive payment processing. Over time, this risk will involve software updates, as opposed to new hardware, which has been the case in the past.

In essence, you are delegating your product design and product management to a third party. Merchants are undergoing a similar shift – for example, branding services like Uber Eats are taking over the customer relationships from local restaurants. Third parties – that is, software providers – have increasing access to your customer data. How do you manage privacy and data security in this new context?

When you offer a new product or service from a small start-up that you just bought, there are regulatory, operational, and reputational risks that may not be fully vetted in this early stage.  We know that consumers want and expect regulatory protection for their payments, particularly if they go through a non-bank. Regulators are not idle on this point, either. We have seen enforcement actions related to anti-money laundering (AML), Know Your Customer (KYC), Bank Secrecy Act (BSA), privacy violations, and violations regarding consumer information/consent violations.

One of the most basic risk management tools is compliance with the Payment Card Industry Data Security Standard (PCI DSS). Each year, Verizon issues a study tracking compliance with PCI DSS across several areas and requirements. The 2018 study found that nearly half (47.5%) of the companies surveyed were not compliant. This is a fundamental risk management goal, and our industry is nowhere close to meeting it. As the report explains, while compliance with PCI DSS does not guarantee your operation is secure, lack of compliance is a strong indicator that your systems are vulnerable. The sales channel has a stake in this – merchants and their customers care about security, and they need guarantees that you are taking care of their data. This conversation needs to be a part of every sales call.

Meanwhile, here are three major areas where we can expect to see more disruption.

  • Artificial Intelligence and Machine Learning. Typically, these services are going to be provided to your processor by third party providers, so your company is going to have to perform a thorough due diligence on them and their products.
  • Digital Payment applications, such as NFC and QR codes. As we see more contactless and online payments, the merchant becomes more vulnerable to cyber-attacks, theft, and fraud. The hackers are going after customer personal data, not just money. Responsible monitoring is needed to prevent reputational risk to your firm in the event of a breach.
  • As merchants and consumers embrace new types of payments via new channels, regulation gets to be more complex, and may require additional resources for compliance. However, using a third party firm can mean sharing sensitive data, which creates more risk and requires oversight.

In conclusion, innovating responsibly means performing a thorough initial and ongoing analysis with the end goal of providing a state-of-the-art product. Whether developed in-house or via an acquisition from a third party, it must come at an affordable cost, improve the consumer user experience with the merchant, and maintain their data privacy and security.