Recently we’ve noticed a trend of certain payment processors claiming that the Restore Online Shoppers’ Confidence Act of 2010 (“ROSCA”) prevents such processors from transferring customers’ payment card information to the merchant upon the termination of the merchant/processor arrangement.  ROSCA, which was passed by Congress in 2010 as a consumer protection statute, prohibits so called “data passing” from an “Initial Merchant” to a “Post-transaction Third Party Seller”.  The Act was intended to catch con artists and other unscrupulous parties from surreptitiously passing payment card data to third parties, pursuant to language buried deep in privacy policies and terms of use.  The quintessential case is one where a consumer purchases a good from a merchant, and is unbeknownst to the consumer, automatically subscribed for a negative option fee-based program.

With respect to above-board merchants and payment processors, the potentially troubling scenario involves subscription-based services or products, where it is essential for the merchant to be able to transfer its customers’ information to a new processor.  The specific transaction structure raising these issues is as follows:

  • Merchant contracts with a processor to process internet-based transactions whereby the processor is merchant of record; and
  • To facilitate sales and funds flow, upon receipt of an order, the merchant first “sells” its service to the processor, the processor obtains the customer’s payment card information, and the processor “resells” the product or service to the customer.

In the above scenario, a strict reading of ROSCA indicates that the processor is the “Initial Merchant” under ROSCA, and the merchant is a “Post-transaction Third Party Seller”.  Accordingly, ROSCA prohibits the passing of payment card information from the processor back to the merchant, despite the fact that a reasonable person viewing the transaction, (or series of transactions) would recognize that the merchant is truly the “seller” and the processor is acting as the seller’s processing agent – even if the structure contemplates the passing of title to the product or service from the merchant through the processor.

From a merchant’s perspective, this prohibition on data passing may make receiving payment card data difficult, if not impossible, in the context of a transition from one processor to another.  From a processor’s perspective, the restriction may allow it to obtain concessions from merchants prior to engaging in transition assistance (namely, indemnification coverage).

So, what should processors and merchants be doing to avoid a ROSCA problem? Because ROSCA is a consumer protection statute, it is essential that all reasonable steps are taken to protect the consumer’s data, and to make sure that from a reasonable consumer’s perspective, the product or service is being purchased from the merchant.  In such circumstances, the consumer will likely suffer no harm from the “passing” of data back to the merchant and then to a new processor. Additionally, if the deal economics allow for it, transactions whereby title passes from a merchant to a processor prior to being sold to the customer should be avoided.  If the deal economics require a transfer of title to the processor, the agreement between the merchant and the processor should establish up front the procedure for transferring data back to the merchant (or its designee), including appropriate indemnification coverage for the processor.