Payments 101 Overview of the Payments Ecosystem ETA

Payments 101: Overview of the Payments Ecosystem ETA UNIVERSITY MARCH 19, 2015 R ICH Deana Rich C O N S U L T I N, G I N C. Edward A. Marshall A RNALL G OLDEN G REGORY L L P

The Ecosystem and its Components

Open-Loop Model

Card Networks and Member Banks

Card Networks and Member Banks � Card Networks Visa, Master. Card, and Discover (see also American Express) Provide infrastructure and brand acceptance Clear and settle transaction information (not funds) Establish interchange system and set rates (paid to issuer) Accept dues and assessments Establish and manage compliance with operating rules and regulations

Card Networks and Member Banks �Member Banks (Acquiring and Issuing) Regulated financial institutions Must comply with network/brand rules and regulations May issue cards and/or acquire transactions directly

Card Networks and Member Banks � Issuing Banks Consumer “on-ramp” to the payments ecosystem Contract directly with consumer (cardholder); bill and receive reimbursement from cardholder Receive interchange fees from acquiring bank Settle transactions with acquiring banks (via networks) May also offer prepaid e. g. , JPMorgan Chase & Co. ; Capital One; U. S. Bank

Card Networks and Member Banks � Acquiring Banks e. g. , BMO Harris Bank; Wells Fargo; HSBC Bank Merchant side of payments ecosystem May sponsor agents, including processors and ISOs (“acquirers”) Responsible for compliance with card networks’ rules and regulations Carry and manage ALL risk associated with agents and their customers (merchants)

The Acquirers

The Acquirers � “Acquirers, ” a Versatile Concept Acquiring Banks Processors ISOs Sub-ISOs Sales Agents � Merchant “on-ramp” to the payments ecosystem � Contract with, bill fees to merchants � Collect interchange fees from merchants through “discount rate” � Must comply with networks’ rules and regulations

The Acquirers � Processors e. g. , First Data; TSYS; Global Payments; Heartland; Worldpay Provide connectivity to networks for purposes of authorization (front-end), clearing and settlement (back-end) Provide various levels of backoffice support Execute agreements with Member Bank, ISOs Can, and frequently does, also function as an ISO (recruiting merchants through salesforce)

The Acquirers � ISOs and Sub-ISOs Independent Sales Organizations Sponsored by Acquiring Bank Sell payment acceptance access to merchants May also provide various levels of back-office support (e. g. , customer service, tech support, statements and reporting) and additional features May have downstream agents (sub. ISOs or sales agents) also selling for them

The Acquirers � Retail (Non-Risk-Bearing) ISOs Entrust risk monitoring and underwriting to processor or other ISO � Wholesale (Risk-Bearing) ISOs Conduct own underwriting and risk monitoring, subject to oversight Indemnify banks and processors for losses related to returns, chargebacks, fraud, and data breaches Banks and processors maintain liability for all downstream activity

A Day in the Life of a Transaction

A Day in the Life: Payment Authorization

A Day in the Life: Settlement � Interchange fees paid to issuing bank � Additional fees collected by processor, acquiring bank, and ISO for services

Ecosystem Risk

Minimal Cardholder Risk �Regulation E �Regulation Z �Credit CARD Act of 2009 �Chargeback Protections

Chargebacks �Dissatisfied consumer can contest a charge (e. g. , unauthorized transaction, did not receive purchase, defective purchase, deceptive merchant conduct) �Issuing Bank removes from statement; recoups money from Acquiring Bank �Acquiring Bank recoups from Processor and/or Risk- Bearing ISO, and, ultimately, Merchant* �Card Networks resolve disputes regarding chargeback validity (consumer friendly)

Ecosystem Chargeback Risk � Merchants may lack financial wherewithal to pay chargeback(s) � Thus, Acquiring Bank, Processor, and/or Risk. Bearing ISO may shoulder responsibility � Importance of Underwriting, Risk Monitoring, and Reserves *

Liability Value Chain and Industry Oversight �Liability Value Chain Card Networks Member Banks Risk-Bearing ISOs Merchants �Industry Oversight Card Network Rules Industry Guidelines (ETA) Bank Regulators Non-Banking Regulators

Data Breach Protection (and Risk) � PCI DSS Evolving standards to keep data secure Validation and compliance testing required by PCI Council and card networks (by merchant level) � EMV: Security at POS � Encryption: Security for Authorization Transmission � Tokenization: Security Post- Transaction

Data Breach Risk at Merchant Level � Consumer Notification (State Law Patchwork) � Card Network Liability Forensic investigations Non-compliance liability assessments Card reissuance cost, data breach assessments, and fraud reimbursement schedules � Legal Risk Consumer and shareholder litigation FTC action

Data Breach Risk within the Ecosystem � Accepting merchants and consumers are largely insulated from counterfeit card fraud loss � Acquiring Bank, Processor, and/or Risk Bearing ISO bear ultimate liability for Fines, Assessments, Reissue Costs (by merchant level) � Issuing Bank bear risk for remainder � Impact of EMV

Questions © 2015 | All Rights Reserved Deana Rich President RICH CONSULTING, INC. deanarich@deanarich. com 818. 787. 5837 Edward A. Marshall Partner ARNALL GOLDEN GREGORY LLP edward. marshall@agg. com 404. 873. 8536 www. deanarich. com www. agg. com