In the “four corner model”, acquirers are apparently the less active party as their role seems ‘only’ to forward the transaction flow originating from the merchant to and from the issuer. In the model, the acquirer is the merchant’s bank.
It receives messages from the payment terminals, usually in the ISO8583 format (or some variants of it), and processes and forwards these messages to the issuer bank via the payment networks. Acquirers, just like all the other three corner entities, must ensure their security. Often, acquirer security and merchant security are linked because what protects the merchant, protects indirectly the acquirer. Most of the protection of the acquirers is decided and dictated by the PCI (Payment Card Industry) compliance. The following looks at how acquirers can protect themselves from the merchants, either in the case of careless merchants or in the case of fraudulent merchants.
Merchant risk management by Acquirers
Merchant risk management for acquirers is a difficult exercise and it is usually applied on a case-by-case basis. It consists in examining each merchant in the context of a global risk management framework.
Merchant acquiring requires adequate risk management controls that are implemented by the acquirer to protect themselves. Some of the primary risks that may arise whilst processing transactions for merchants include merchant-cardholder complicity or transaction laundering. There are many ways a merchant can present risks for an acquirer and in general, they are complex and only expert risk management systems (which can be provided by card brands or by commercial third parties) can help the acquirer to predict and cover such risks.
Chargeback management
In the four-corner model, the acquirer always takes the risk that the merchant will remain solvent, and must always accept the responsibility for payment processing.
But, if a merchant goes bust, it is up to the acquirer to resolve all the chargebacks and refunds. Such a risk is covered by fees which must be adequately computed.
Chargebacks themselves can be a big risk for an acquirer, especially if there is complicity between the cardholder and the merchant or if the merchant is malevolent or careless.
Acquirers use specific frameworks to compute risks associated with merchants that have too many chargebacks. Often, these frameworks use Machine Learning (ML) algorithms as well as expert rules.
Card association protection systems
The card brand associations (or card payment schemes, e.g. Visa, Mastercard, etc…) have developed several powerful tools for managing risks associated with merchants and they are part of the protection provided to the acquirer.
For example, BRAM which is MasterCard's Business Risk Assessment and Mitigation program, or the Visa Global Brand Protection Program (GBPP).
BRAM and GBPP can detect illegal content in terms of local, state or federal laws or in terms of the card brand association's rules and regulations. As an example of such violations, we can cite: the breach of IP rights (sale of counterfeit goods or digital media) as well as broadcasting IP-protected entertainment content.
While BRAM and GBPP fines are passed to the merchants, in case of merchant insolvency, the responsibility falls back on the acquirer which means that the acquirer must always monitor and predict the risks associated with their merchants. Another threat is reputational risk. While some products and transactions are legal, they may hurt the reputation of the acquirer. Legal cannabis is a good example of this.
Visa Transaction Advisor (VTA) or Visa Account Attack Intelligence are tools using sophisticated Machine Learning algorithms that acquirers can use for protecting themselves.
Third-party anti-fraud system
Most acquirers use an anti-fraud system to monitor their merchant’s daily activity.
The acquirer can be liable for the losses perpetrated by a merchant, especially fraudulent merchants engaged in deceptive practices.
Several indicators can be used. A prevalent one is monitoring the number of daily chargebacks. In the case of a merchant doing their sales through a website, the anti-fraud system usually checks if there are multiple purchases with an identical amount, multiple uses of the same cardholder number, same IP, etc …
Most of the time, Acquirers rely on third-party monitoring solution providers provided with robust databases and proven machine learning models.
These anti-fraud systems can, for example:
- Predict the likelihood of collusive or fraud-targeted merchant activity;
- Predict the likelihood of bankruptcy among existing merchants to lower potential loss exposure;
- Predict the risk of attrition among existing merchants to manage merchant satisfaction.
ATM & EFT POS networks
PKI
The Acquirer has access to the public key of a CA maintained by a relevant card scheme. A database of public keys per RID is maintained by EMVco and must be used by the acquirer in order to access several cryptographic features provided by EMV.
Card schemes distribute the Public-Root Keys to acquirers so that they are loaded into the payment device terminals provided to merchants and mostly will be used for offline authentication (DDA, CDA). A CRL mechanism is also generally provided to the acquirers.
ATM & EFT POS networks
Remote PIN key loading
An acquirer usually remotely loads its keys to the terminal pin pad. This is part of the PCI-PIN security norm. The keys that will cipher the PIN are sent via mechanisms compliant with X9.24, namely TR-34 key blocks and DUKPT.
Securing the payment terminal network
In the past, acquirer terminals were connecting through specific isolated networks using X25 for example. Nowadays they use mostly VPN technology (Virtual Private Networks). Acquirers must use a lot of techniques to secure their networks of payment terminals, especially the ATMs: encryption, endpoint security, etc. Keys and certificates can be loaded to the payment terminals maintained by the acquirer as part of their security, in order to authenticate the terminal in the network.
Protection of the Acquirers via the PCI protection program
As a general rule, Acquirers are responsible for their merchants to implement protection and compliance programs, either from the card associations or from PCI-DSS. It is ultimately up to a merchant’s acquirer to ensure that their merchants are compliant.
Acquirers must educate and train their merchants regarding PCI-DSS and also they must build and manage the PCI compliance program for each of their merchants. This does not protect only their merchants but also protects the acquirer itself.
Conclusion
In the EMV four corner model, the security mechanisms that the acquirers can use are complex. Only expert systems can help the acquirers to protect themselves and monitor their merchant’s activities and status. These protection systems are generally not related to cryptography but rather to risk management and data science as well as following up and reporting PCI-DSS compliance of each of their merchants.