Understanding the role of an ISO in the payment process can be tricky. This blog outlines the most frequently asked questions surrounding ISOs and their pros and cons.
ISO, or Independent Sales Organizations, play a vital role in the payment process by helping merchants accept payment processing. Basically, an ISO acts as a middleman between banks and merchants, letting merchants accept payments without directly involving their personal bank.
Check out the YouTube short “What is an ISO?” below to learn what an ISO is in under 60 seconds.
There are thousands of ISOs, but if you’re curious about which companies are considered ISOs, Visa posts a list of all existing ones here. Another term that can be interchangeable for ISOs is “payment facilitator.”
The determined value of an ISO to a merchant is debated; it depends on who the merchant’s acquirer is and what agreement they have with an ISO. ISOs are heavily sales-focused, so acquirers benefit from having the ISO’s team of sales representatives who will reach out to merchants for them. The acquirer and ISO can receive residual on transactions/swipes from individual merchants.
One benefit for a merchant would be having a hands-on ISO sales representative who can help with questions and fix problems. In this way, partnering with an ISO can be a much more personal experience for both acquirers and merchants rather than just using an app.
As mentioned above, the answer to this question depends on the specific ISO and their agreement with an acquirer, but ISOs definitely can provide a more personalized approach. The majority of the time, an ISO will work with several different processors, which gives them the option to choose what works best for a merchant. This gives ISOs the ability to identify a good match for merchants based on their specific needs.
A good ISO representative will also understand how different merchants want to interact with their acquiring bank and payment brands and use this information to tailor their experience.
Sometimes, ISOs will run a program that only requires them to report a merchant's compliance to the processor, and other times, an ISO will have no input. More and more, ISOs are pushing for control over the merchant’s PCI compliance status so they can adjust fees and fines while still making sure their merchants are compliant.
A custom PCI program can make PCI painless for merchants, so ISOs will sometimes work directly with a company like SecurityMetrics instead of the Acquirers chosen program. So, whether or not an ISO will automatically enroll a merchant into the PCI compliance process depends on who your ISO is.
Some processors might already have a PCI program and will ask ISOs to send merchants to that specific program. If ISOs have an agreement with an acquirer and they want to use a different PCI program, they can, but they will still be billed for the chosen partner of their acquirer. So they might as well use the agreed-upon partner to save money.
Remember, if an ISO chooses its own program, it will have a lot more customization over pricing, packaging, communication, and the level of involvement of its chosen PCI program partner.
Not necessarily. The benefit of an ISO is getting that personal touch. Most merchants just want to get back to their business. Anything related to PCI compliance is going to distract from doing business. So anything an SMB can do to get compliant with as little work as possible is going to be most attractive to them.
This is a common question ISOs face. ISOs will need to do a PCI assessment because they are a service provider. Their assessment will involve a lot of items such as internal and external network scanning, penetration testing, and anything else needed to ensure their backend (where merchants are accepting credit cards) is secure.
In fact, a merchant cannot truly be considered PCI compliant without their ISO also being PCI compliant.
It is important for all ISOs to realize they have to be assessed as a service provider and to take the necessary steps needed to move in that direction.
ISOs vary in their support based on what they consider to be important to their business and merchants. Often, ISOs or acquirers may choose a program that just focuses on getting merchants through PCI compliance as quickly as possible. This can turn into a checkbox situation instead of actually securing merchants or educating them on PCI compliance.
If PCI compliance education is a concern of yours, SecurityMetrics offers a completely free Data Security Academy that you can have your merchants enroll in.
One of the top concerns that ISOs face is the fact that there are a lot of different groups within an organization. This means that you have staff who are concerned with revenue, you have risk and compliance staff who want their merchants to be secure, you have product teams who will want to give the best customer experience, and more. This may also mean that different groups within organizations can clash on what they deem to be most important.
For example, some ISOs charge a high non-compliance fee and rely on the revenue that’s generated by the non-compliance fee. This becomes a battle for the risk and compliance teams because the more compliant merchants become, the less revenue is coming in. And yet, customer experience is vital to retaining merchants, so product teams will want to make PCI a good experience for them so they don’t leave the ISO. All of this can lead to a messy dynamic.
Typically, they have some idea of what they need. Sometimes, it changes as they customize their program, but that’s the benefit of being able to customize your program.
Be sure you are partnered with a solution that has conducted PCI v4 assessments, so that they can get your merchants evaluated with the correct standards.
SecurityMetrics helps you streamline PCI compliance for your merchants. One of the ways this is done is through education. SecurityMetrics has a wealth of free resources, such as our Academy, which is a training program that covers security basics.
SecurityMetrics has the award-winning PCI guide, HIPAA guide, blogs, white papers, webinars, a podcast, and a news channel that are all designed to help educate merchants on PCI and why PCI is important. SecurityMetrics also helps ISOs stay compliant so that merchants can trust the ISOs with which they are partnered.
.svg)
