Essential Merchant Monitoring Best Practices to Enhance Security
Shanty Elena van de Sande: Christian, congratulations to yet another edition of Web Shield’s “Fundamentals of CNP Merchant Acceptance”.
Let’s discuss the content, which explores the fundamental elements of ongoing monitoring as part of the merchant acquirer’s obligation to mitigate risk. Is ongoing monitoring legally required or considered by too many merchant acquirers as a recommended “nice to have”?
Christian: Ongoing monitoring is required by regulatory authorities and credit card organisations as part of enhanced due diligence for certain merchant types.
Especially acquirers with many high-risk merchants in their portfolio have to implement a solid monitoring framework. For them, monitoring isn’t an option but a legal obligation. Each jurisdiction imposes specific monitoring requirements through its supervisory authorities and card payment regulations oblige gateway providers, merchant acquirers, associated PSPs and ISOs to be compliant.
Both VISA and Mastercard emphasise the importance of merchant monitoring. Visa, for example, has issued dedicated guidelines to help acquirers maximise the efficiency of monitoring procedures, while considering their available budget. They provide two mandatory requirements for the monitoring process: acquirers need to verify the product’s or service’s legality in the corresponding jurisdiction and review the merchant’s eCommerce websites to check if there are any links to other sites that violate applicable law or the Visa Rules. Apart from these two mandatory requirements, Visa also issues recommendations regarding products and/or services, websites and the terms and conditions.
Mastercard’s approach differs slightly from that of Visa: They grant the acquirer more autonomy to decide which monitoring procedures to implement. Mastercard considers transaction monitoring to be a central and fundamental component of successful risk management and they regulate website monitoring in their Security Rules & Procedure. In addition, MasterCard also defined a list of high-risk business types which require enhanced due diligence (e.g. Non–face-to-face Gambling Merchants, Pharmaceutical and Tobacco Product Merchants, Skill Games Merchants)and specific guidelines to monitor these business types.
Q: The book explores Reputation -, Regulatory -, Content - and Transaction Laundering Monitoring. You dedicate a large portion of the book to these last two monitoring areas. What makes Content Monitoring and Transaction Laundering Monitoring so challenging for Risk departments?
Christian: Let’s talk about content monitoring: the card associations emphasise the importance of this and have developed programs encouraging acquirers to monitor their portfolios as part of enhanced due diligence. The scope of content monitoring is wide and very complex: Acquirers need to make sure to verify a merchant’s actual web content, check whether the products and services which are being offered are compliant with rules and regulations and so-called Merchant Disclosure Requirements, track contact data changes, identify third party merchant agents and check the website access or absence of transactions.
Any violation in this regard should trigger an alert, because this could lead to reputation loss. This work, however, is never easy since fraudulent merchants often know a lot of tricks to cover their tracks and some content cannot even be monitored or identified by content crawling, for example merchant agents.
Transaction laundering monitoring is another big challenge. This form of payment fraud has emerged during the last years and is of great concern to the card industry, because every acquirer runs the risk of being affected by complex fraudulent transaction laundering schemes. The fact that low-risk merchants tend to be targeted and abused more often than high-risk merchants makes this type of fraud particularly challenging. Transaction laundering occurs when a merchant knowingly aggregates transactions on behalf of another merchant, without the permission of the acquirer. The products and/or services are often illegal. This type of fraud is considered a major threat to payment facilitators and merchant acquirers. It is heavily sanctioned by card organisations.
Transaction laundering can remain undetected if the Transaction Monitoring Team, Chargeback Department and Sales Department don’t communicate efficiently, don’t share crucial data and don’t collaborate during the course of an investigation.
Q: In a global e-Commerce market, acquirers often operate in different jurisdictions and process transactions cross-border. It can be quite challenging for compliance departments to stay up-to date about changes in the legal landscape. This is where Regulatory Monitoring becomes a crucial area in the acquirer’s Monitoring Framework. Please explain.
Christian: The legal landscape is changing constantly with the emergence of new business forms like cryptocurrency. All merchant acquirers are obliged to keep track of legal changes and implement regulatory monitoring to ensure compliance with local, regional and foreign jurisdictions. However, collecting legal opinions should not only be perceived as a requirement imposed by the card associations, but also as a way to protect acquirers and uncover illegal merchants who take advantage of the complex and continuous updates in the legal landscape.
Regulatory Monitoring is getting more important in the acquirers’ framework now that legislators increasingly apply new rules. This particularly impacts high-risk merchants and their acquirers. High-risk business types such as financial services, the travel industry, pharmaceuticals, nutraceuticals, adult entertainment, online gambling, digital goods, etc. are scrutinised closely and require a deep understanding of the local legal framework as they are subject to even stricter regulations due to their high risk.
The acquirer that processes transactions for merchants involved in these high-risk business types has to monitor regulatory changes to prevent non-compliance issues and associated penalties and risk. Regulatory News Monitoring and Legality Monitoring are highly recommended. Regulatory Monitoring is just one of the more than 25 monitoring areas that are being discussed in this book and we invite everyone who wants to increase their knowledge about Ongoing Merchant Monitoring procedures to scroll through its content.
Q: Thank you Christian for this interview!
The interview was conducted by Shanty Elena van de Sande.
www.elenavandesande.com, @SandeCopywriter or LinkedIn
Find out more about Web Shield's monitoring solution here.
Let us guide you through the world of compliance
Card scheme compliance can be a daunting task. Our team of experts is here to help. Get expert advice and cutting-edge tools to improve your business.