How Merchants Navigate Payments Integration Risk

Payrix podcast

When it comes to payments in commerce, what — and who — you don’t know can hurt you.

Underpinning that is the fact that the movement of money itself is all about knowing who you’re moving the money for.

For software companies and platforms that seek to integrate payments and provide value-added services to merchants, there is the never-ending challenge of balancing trust and risk.

In an interview with Karen Webster, Robert Butler, president of payments technology platform Payrix, illuminated the various degrees of risk that confront these providers — and how technology, with a dash of human interaction, can help mitigate at least some of those risks.

Risks for Merchants and Providers

For service providers, one of the most basic risks in the commerce arena is merchant risk. It goes without saying, perhaps, that for merchants, the brand is everything. And, as Webster noted, just as merchants strive to make sure their brands represent integrity, customer service and product quality, that same quest for integrity can influence merchants’ decisions about technology and service providers.

Said Butler, in taking a step back and examining risk on a high level, “It’s important to know who you are dealing with and how you [as a service provider] want to be perceived in the marketplace.”

For providers who accept, well, everybody as a customer, there will be challenges down the line, he cautioned.

“In many cases, the potential reputational risk can far outweigh the financial risk of doing business with somebody who is not exactly on the up-and-up,” Butler told Webster.

The merchant’s search for a good provider must go beneath the surface and consider factors that go well beyond pricing, he noted.

“They haven’t dug deep enough to find out whether these providers use PayFrames or PayFields to keep them out of PCI scope, or if they have an easy API setup,” he said.

Many merchants might not be so forward-thinking as to visit both Visa’s and Mastercard’s websites to find out whether their technology providers are SOC 1 or SOC 2, or ask questions about how they hold their data, Butler pointed out.

Newer questions might center around whether the providers are compliant with recent data laws mandated through GDPR for Europe and in the state of California.

“Navigating all of this is a bit complex,” he said.

Looking at the Aggregators

When expanding the same concerns to aggregators and business software solutions that integrate payments into the end user experience, some new, yet similar, risk considerations emerge.

As Butler noted, the aggregators, vertical software companies and digital marketplaces also need to think about the experiences they want to offer to their merchants.

“It’s easy to let everyone in the door, but that opens the door wide for fraudsters,” he warned.

There’s a balancing act here, too, where the aggregators seek to minimize friction alongside the instant onboarding process without putting themselves in harm’s way.

Amid the special considerations for aggregators is whether they fall under money transmitter licenses. Money transmission firms need a detailed wealth of knowledge about who is able — and who is unable — to conduct business on technology platforms. At the same time, they must manage the mechanics of moving funds across any number of ecosystems and locations. In other words, money transmitters must monitor the “pay out” risk just as much as “pay in” risk.

The Partnerships

In the bid to integrate payments, while juggling network operating rules and merchant categories, the search for a payments partner to help manage and mitigate risk should center on finding “not just a consultant, but a practitioner,” said Butler.

That’s especially important given the range of payment options that are on offer and still emerging, such as installment plans, subscription plans and recurring billing, all of which present new revenue streams (and risks) for the platforms.

With the advent of technology, said Butler — particularly through automated processes and machine learning — there’s the opportunity to reduce errors and boost efficiency in onboarding (where speed has become table stakes). Other tasks that can be automated include compliance and chargeback-related activities. Butler noted that aggregators and software companies can also examine ways to improve security by removing cardholders’ PII data from the equation.

Although technology can do much to assess the risk and creditworthiness of sub-merchants and get them up and running on platforms, Butler said there’s still room for human interaction. At times, human eyeballs can be valuable in further reviewing a firm’s activities and guarding against risk — letting companies transact, for example, but holding funds before disbursement if there is reason to be cautious.

Payrix’s goal of keeping current on emerging threats, through a mix of technology and manual efforts, is one reason the company recently hired Billi Jo Wright as chief risk officer.

“When you fully own and manage the experience and the revenue, you also own and manage the liability, complex requirements, standards, etc. … So the focus of our risk team is risk versus friction,” Butler told Webster.

With a nod toward some of those emerging risks, he pointed to cross-border payments and the different risk profiles held by various countries.

“We also see challenges domestically,” he cautioned, “such as identity theft on bank accounts as well as people signing up, processing and then bolting. It’s a constant battle to stay out in front of all that.”

“When it comes to risk, you’re never quite finished with it. Risk is something you need to look at holistically at all times,” Butler told Webster, adding that, “there are always different things popping up along the way. If you don’t stay on top of risk, it gets multiplied tenfold.”