Skip to main content

ISO & ISV Risk Perspectives

Last Updated: 2025-02-17 Status: Complete

This section examines how risk and compliance responsibilities differ across payment distribution models. While the previous sections focus primarily on Payment Facilitator (PayFac) obligations, Independent Sales Organizations (ISOs) and Independent Software Vendors (ISVs) have distinct risk profiles and compliance requirements.

Quick Reference

AspectISOISVPayFac
Chargeback LiabilityNone (pass-through)Varies by modelFull first-line
PCI ScopeMinimal to noneVaries by integrationFull Level 1 SP
AML/BSAGenerally not applicableGenerally not applicableFull MSB obligations
Network RegistrationThird-Party AgentUsually nonePayFac registration
Reserve RequirementsNone from merchantsNone from usersRequired from sub-merchants
MATCH ListingRare (principal violations)RareCommon (merchant issues)

The Risk Spectrum

Understanding where each entity sits on the risk and responsibility spectrum is essential for platform design decisions.

Why This Matters

Understanding the ISO and ISV perspective is critical for:

  1. Platform Architecture Decisions - Choosing between ISO partnerships, ISV integrations, or full PayFac builds affects risk exposure
  2. Partnership Structures - Negotiating appropriate liability allocation in partner agreements
  3. Sub-Agent Management - ISOs working with your PayFac need clear risk boundaries
  4. Vertical Expansion - ISVs integrating payments must understand compliance scope
  5. Risk Assessment - Evaluating partners requires understanding their risk profiles

Entity Definitions

ISO (Independent Sales Organization)

What is an ISO? An ISO is a third-party sales and distribution partner that refers merchants to acquirers or processors. ISOs:

  • Do NOT process transactions
  • Do NOT hold merchant funds (typically)
  • Do NOT take chargeback liability
  • DO provide merchant acquisition, onboarding support, and ongoing service
  • DO earn residual income on merchant volume

Risk Profile: Lowest in the payment chain. Primary risks are reputational and contractual.

See ISOs in the Ecosystem for business model details.

ISV (Independent Software Vendor)

An ISV is a software company that may embed payments into their platform. ISVs operate across a spectrum:

Integration LevelRisk LevelExample
Referral onlyVery lowSoftware recommends payment provider
API integrationLow-mediumSoftware connects to payment gateway
Embedded (PFaaS)MediumSoftware uses PayFac-as-a-Service
Full PayFacHighSoftware becomes registered PayFac

Risk Profile: Varies dramatically by integration model. Referral ISVs have minimal risk; PayFac ISVs have full liability.

See ISVs in the Ecosystem for business model details.

PayFac (Payment Facilitator)

For comparison, a PayFac is a master merchant that onboards sub-merchants under its own merchant account. PayFacs:

  • DO take first-line chargeback liability
  • DO hold and distribute sub-merchant funds
  • DO perform underwriting and KYC/KYB
  • DO maintain compliance with PCI, AML, network rules
  • DO register with card networks

Risk Profile: Highest in the distribution chain. Full financial, regulatory, and operational liability.

Comparison Matrix

Regulatory and Compliance Obligations

RequirementISOISV (Non-PayFac)PayFac
Card Network RegistrationThird-Party AgentOptional (gateway)PayFac registration
PCI-DSS ComplianceSAQ or noneSAQ-A to Level 1Level 1 Service Provider
AML/BSA ProgramNoNoYes (MSB)
Money Transmitter LicenseNoRarelyOften required
Sponsor Bank AgreementYesVia PayFac/processorYes

Financial Risk Exposure

Risk TypeISOISV (Non-PayFac)PayFac
Chargeback LossesNoneNoneFirst-line liability
Fraud LossesNoneContractual exposureDirect exposure
Reserve ObligationsNoneNoneRequired
Network FinesIndirect (sponsor)IndirectDirect
MATCH Listing RiskRareRareCommon

Operational Requirements

FunctionISOISV (Non-PayFac)PayFac
Merchant UnderwritingAssist (bank decides)NoneFull responsibility
Transaction MonitoringLimitedLimitedComprehensive
Chargeback ManagementSupport merchantNoneFull management
SAR FilingNoNoYes
Merchant TerminationRecommendN/AExecute

Sections in This Category

Liability Structures

Deep dive into how chargeback, fraud, and regulatory liability flows across entity types:

  • Chargeback liability by model
  • Reserve requirement differences
  • Sub-agent liability cascading
  • Contractual risk allocation

Compliance Obligations

Compliance requirements by entity type:

  • PCI-DSS scope by model
  • AML/BSA applicability
  • Network registration requirements
  • Money transmitter considerations

Network Program Applicability

How network monitoring programs apply to each entity:

  • VAMP applicability for ISOs
  • ECP/EFM applicability for ISVs
  • MATCH list implications
  • Program responsibility allocation

Portfolio Risk Management

Risk management specific to ISO and ISV portfolios:

  • Sub-agent due diligence
  • Vertical-specific compliance
  • KYC/KYB delegation
  • Ongoing monitoring requirements

Quiz

Self-assessment questions covering ISO and ISV risk concepts.

Key Concepts

Risk Flows Upward

In the payment hierarchy, risk ultimately flows upward to the sponsor bank:

Liability Allocation by Agreement

Risk distribution is defined by contracts at each level:

Agreement LevelPartiesKey Risk Terms
Sponsor AgreementBank ↔ PayFacReserve requirements, chargeback limits, termination thresholds
ISO AgreementPayFac ↔ ISOMerchant quality standards, prohibited MCCs, liability limits
Merchant AgreementPayFac ↔ MerchantChargeback responsibility, refund policies, prohibited activities

The "Know Your Partner" Principle

Each entity must perform due diligence appropriate to their risk exposure:

EntityDue Diligence Focus
PayFacFull KYC/KYB on sub-merchants
ISOMerchant qualification screening
ISVUser verification for embedded payments
Sponsor BankPayFac and ISO financial stability

References

Share: