As the payments industry continues to undergo significant changes spurred by strong innovation and new payment methods, online merchant risk is at an ultimate high. These continuous changes make it challenging for payment providers to stay one step ahead of risk. With an increase in data compromises and government regulations, the importance of performing extensive due diligence before onboarding a new merchant could not be greater.
Boarding the wrong merchant can be detrimental to your portfolio. You could bear the burden of any fraud, card network compliance violations, and chargebacks, costing you extensive financial damage with hefty legal and regulatory penalties. Unfortunately, many acquirers do not thoroughly investigate their merchants’ online presence and history of risk. The good news is that many potential threats can be avoided by following the right steps and knowing what to look for during the merchant boarding process.
Here are 5 areas of a merchant’s history to pay extra attention to at onboarding:
1. Review merchant history for past violations and risk
Reviewing your merchants’ risk history is a key step in the due diligence process, as past history is a good indicator of future behavior. Merchants with names or URLs that have been previously associated with illicit activity, such as the selling of counterfeit goods, illegal drugs, etc., should raise a red flag. Knowing any previous associations with other financial institutions will also provide insight into any risk potential. For example, if a merchant’s application indicates they have only been in business for one year, but you discover that four years ago they were working with another acquirer, you may choose to investigate further to find out what else your merchant may be hiding from you.
At this point in the boarding process, checking the WhoIs record of the merchant’s website (an online repository of information about registered domain names, such as creation date, name of registrar and contact information) will help confirm that the information on the merchant application matches up with the domain information. If, for example, the address on a merchant’s application is listed as being located in Los Angeles, but the domain is registered under an address in a high-risk country far away, this should be factored into its risk potential. Google Street View is a great resource to double-check physical addresses to be certain they actually exist. The more you know about a merchant’s history of past violations and subsequent risk, the better prepared you’ll be to make an educated decision of whether or not to board it.
2. Analyze merchant website content for violations
It’s essential to check every product and service on the merchant’s website for violations of card network rules, industry regulations, and the law. It only takes one noncompliant item on a site to change its status from compliant to noncompliant and to open you up for brand damage and financial loss due to penalties and assessments. You can never be too careful when it comes to investigating content that seems suspicious or on the cusp of being a violation. “Bad actors” will go to great lengths to disguise goods, not to mention, it can be difficult to stay up to date on the latest trends in counterfeit goods, illegal drugs, and other illicit goods. For example, synthetic cocaine is often disguised as “bath salts” or “plant food”, which cannot be easily discerned with a cursory glance at a site. MasterCard’s Business Risk Assessment & Mitigation (BRAM) Program and Visa’s Global Brand Protection Program (GBPP) and are in place to help acquirers comply with their regulations. It’s best to familiarize yourself with these programs and know what types of website content violate card network rules. Taking the extra time at boarding to thoroughly review a merchant’s online presence is a key factor in boarding merchants that fit within your risk tolerance.
3. Inspect and identify merchant business policies
Merchants with unclear, unfair or nonexistent business policies are likely to lead to future issues, not to mention some very unhappy consumers. One of the main contributors to high chargeback rates is a lack of clearly stated terms & conditions on merchant websites. Terms & conditions should be clear and include billing/special fees, intellectual properties, limitation of liabilities/disclaimers, disputes and choice of law, and general/specific terms of service. Ideally, privacy policies and terms of service should be one click away from the home page and easy for the consumer to find. Also, double-check that there is clear customer support information and that the phone numbers listed on the merchant’s website match the phone number on the merchant application.
4. Conduct background checks using watch lists
In conjunction with reviewing the merchant history, check merchants against various watch lists. Discovering a merchant’s domain registrar is on a terrorist watch list after you’ve boarded them would substantially increase your financial and legal liability. Luckily this can be avoided by checking industry and regulatory watch lists such as card network history, politically exposed persons (PEP), Office of Foreign Assets Control (OFAC), and World Bank.
5. Identify and evaluate your merchants’ service providers
More and more data breaches are occurring as a result of unsecure service providers. It is imperative to identify which third parties the merchant is using for their website, whether they are touching cardholder data, and evaluate their risk level. This should be done by investigating if their service providers are PCI DSS compliant, registered with the card networks and by performing SSL checks on the website, registration pages and payment pages (ensuring there is a secure connection between the user and the website). This step is often overlooked since many acquirers and ISOs focus on researching just the merchant website. Failure to evaluate your merchants’ service providers can lead to higher risk for data compromises by uninvestigated third parties. Plus, all service providers should be registered with the card networks, per their requirements.
Thorough investigation of potential merchants during the onboarding process is important to help predict the risk a merchant may pose to your organization. Adding the wrong merchant to your portfolio can put your brand reputation ask risk and opens the door to severe financial and legal penalties. By performing an in-depth analysis of merchant history, examining the merchant website for content violations, evaluating business policies, carrying out background checks and identifying service providers, you can better protect your organization from risk now and in the future.
G2 is the world’s leading provider of payment risk management services and analyzes the risk of hundreds of thousands of prospective merchants annually. By monitoring millions of merchants and analyzing their relationships and their risk, G2 has built the industry’s most extensive Merchant Map of merchant risk history.