With respect to above-board merchants and payment processors, the potentially troubling scenario involves subscription-based services or products, where it is essential for the merchant to be able to transfer its customers’ information to a new processor. The specific transaction structure raising these issues is as follows:
- Merchant contracts with a processor to process internet-based transactions whereby the processor is merchant of record; and
- To facilitate sales and funds flow, upon receipt of an order, the merchant first “sells” its service to the processor, the processor obtains the customer’s payment card information, and the processor “resells” the product or service to the customer.
In the above scenario, a strict reading of ROSCA indicates that the processor is the “Initial Merchant” under ROSCA, and the merchant is a “Post-transaction Third Party Seller”. Accordingly, ROSCA prohibits the passing of payment card information from the processor back to the merchant, despite the fact that a reasonable person viewing the transaction, (or series of transactions) would recognize that the merchant is truly the “seller” and the processor is acting as the seller’s processing agent – even if the structure contemplates the passing of title to the product or service from the merchant through the processor.
From a merchant’s perspective, this prohibition on data passing may make receiving payment card data difficult, if not impossible, in the context of a transition from one processor to another. From a processor’s perspective, the restriction may allow it to obtain concessions from merchants prior to engaging in transition assistance (namely, indemnification coverage).
So, what should processors and merchants be doing to avoid a ROSCA problem? Because ROSCA is a consumer protection statute, it is essential that all reasonable steps are taken to protect the consumer’s data, and to make sure that from a reasonable consumer’s perspective, the product or service is being purchased from the merchant. In such circumstances, the consumer will likely suffer no harm from the “passing” of data back to the merchant and then to a new processor. Additionally, if the deal economics allow for it, transactions whereby title passes from a merchant to a processor prior to being sold to the customer should be avoided. If the deal economics require a transfer of title to the processor, the agreement between the merchant and the processor should establish up front the procedure for transferring data back to the merchant (or its designee), including appropriate indemnification coverage for the processor.