BEWARE IMPERSONATION SCAMS! Be sure that you are interacting with us. We e-mail exclusively from the domain @dilendorf.com

Regulatory Risks for ISOs in Payment Processing

March 18, 2026  |   By: Max Dilendorf, Esq.
Max Dilendorf, Esq.
Max Dilendorf, Esq.

212.457.9797  |  md@dilendorf.com

Independent Sales Organizations (ISOs) play a central role in the payment processing ecosystem. ISOs typically recruit merchants, assist with merchant onboarding, and facilitate relationships between merchants, payment processors, and acquiring banks.

Although ISOs are not always the primary regulated financial institution in the payment processing chain, their activities operate within a complex legal and regulatory framework governing electronic payments, fraud prevention, and data security.

These regulatory considerations are often reflected in ISO agreements with processors and acquiring banks, which must carefully allocate compliance responsibilities and risk. Dilendorf Law Firm helps ISOs with negotiating these agreements and addressing regulatory risk exposure.

As a result, ISOs face regulatory and legal risks related to fraud prevention, anti-money laundering obligations, data security requirements, and contractual liability within the payment card ecosystem. Understanding these risks is essential for ISOs seeking to maintain stable relationships with processors and avoid regulatory scrutiny.

Federal Statutory and Regulatory Framework

Several federal statutes indirectly affect the operations of businesses participating in the payment processing ecosystem.

Risk Management Standards

Under 12 U.S.C. § 5464, the Federal Reserve may establish risk management standards designed to promote the safety and stability of payment systems. These standards are intended to support sound risk management, reduce systemic risks, and maintain financial stability within the financial infrastructure.

Although ISOs may not always fall directly within the scope of these rules, their activities—particularly merchant onboarding and transaction facilitation—can create regulatory exposure if they contribute to operational or compliance failures within the payment system.

Fraud Prevention in Electronic Transactions

Electronic debit transactions are governed in part by federal law, including 15 U.S.C. § 1693o-2, which focuses on fraud prevention and the use of cost-effective fraud prevention technologies.

While ISOs are not directly regulated under this provision, they play an important role in onboarding merchants and facilitating payment transactions. Weak merchant screening practices can expose processors and acquiring banks to fraud risks, which in turn can result in contractual or regulatory consequences for the ISO.

Anti-Money Laundering Compliance

Financial institutions must maintain anti-money laundering (AML) programs under 31 U.S.C. § 5318, which requires policies, procedures, and internal controls designed to detect and report suspicious financial activity.

Because ISOs often act as intermediaries between merchants and financial institutions, their onboarding and merchant monitoring practices may become relevant in AML investigations. Failure to perform adequate due diligence on merchants can lead to processor termination or regulatory scrutiny.

Industry Standards and Data Security Obligations

Beyond federal statutes, ISOs must comply with industry security standards and contractual obligations governing payment card transactions.

PCI Data Security Standards (PCI DSS)

Payment card transactions are governed by the Payment Card Industry Data Security Standards (PCI DSS), which establish requirements for protecting cardholder data across the payment processing ecosystem.

Courts have repeatedly emphasized the contractual importance of these security standards.

For example, in Paymentech, L.L.C. v. Landry’s Inc., the Fifth Circuit explained that the merchant agreement required compliance with payment brand security rules and imposed liability for security failures. The court noted that:

“The Merchant Agreement required Landry’s to comply with all applicable Payment Brand rules and data security standards, including its cooperation with any forensic investigation required by a Payment Brand in the event of a breach.”

When a major data breach exposed cardholder data, the payment networks imposed substantial financial assessments. The court further explained that:

“Visa levied approximately $12.5 million in assessments; Mastercard approximately $10.5 million.”

These cases illustrate how failures to comply with payment security standards can trigger contractual liability within the payment processing ecosystem.

Contractual Risk Allocation in the Payment Card System

The payment card system operates through a network of contractual relationships involving merchants, processors, acquiring banks, issuing banks, and payment networks.

Courts have recognized that these contractual relationships govern how losses are allocated when security failures occur. In Community Bank of Trenton v. Schnuck Markets, Inc., the court explained the structure of the electronic payment system:

“When a customer uses a credit or debit card at a retail store, the merchant collects the customer’s information […] the track data and the amount of the intended purchase are forwarded electronically to the merchant’s bank (the ‘acquiring bank’), usually through a payment processing company.”

The court emphasized that the system is governed primarily by contractual relationships among the participating entities in the payment network.

Fraud and Misconduct Risks in ISO Operations

ISOs may also face litigation or regulatory exposure when fraudulent conduct occurs in connection with merchant onboarding or equipment leasing arrangements.

In Matter of People of the State of New York v. Northern Leasing Systems, Inc., the court described allegations involving misconduct by ISO sales representatives in the credit card processing industry. The court noted that:

“The ISOs misrepresented to those consumers the nature and terms of the EFLs and failed to disclose that they were entering into contracts with two different companies.”

The court further explained that some agreements allegedly contained hidden or onerous terms and that in certain instances the ISOs “forged the names of consumers or unilaterally altered the terms of the EFLs after they were signed.”

Cases involving allegations of misconduct can also raise broader litigation risks. In Aghaeepour v. Northern Leasing Systems, Inc., plaintiffs asserted claims under the Racketeer Influenced and Corrupt Organizations Act (RICO) based on alleged misconduct connected to equipment leases and collection practices.

These cases demonstrate that inadequate supervision of sales practices or merchant onboarding activities can expose companies operating in the payment processing ecosystem to substantial litigation risk.

Mitigating Regulatory Risks for ISOs

To reduce regulatory exposure, ISOs should adopt comprehensive compliance and risk management practices.

Key steps may include:

  • Implementing compliance programs
    ISOs should establish policies addressing fraud prevention, AML compliance, and merchant due diligence.
  • Conducting thorough merchant screening
    Proper vetting of merchants can reduce the risk of facilitating fraudulent or high-risk transactions.
  • Establishing oversight mechanisms
    Monitoring sales agents and merchant onboarding processes can help prevent misconduct.
  • Negotiating contractual protections
    ISO agreements should clearly allocate liability for fraud, data security breaches, and regulatory compliance obligations.
  • Regularly reviewing compliance policies
    Payment system regulations and network rules evolve frequently, making periodic compliance reviews essential.

Conclusion

Independent Sales Organizations operate within a complex legal environment shaped by federal regulations, payment network rules, and contractual obligations within the payment processing ecosystem.

Although ISOs are not always directly regulated financial institutions, their activities can expose them to significant regulatory and litigation risks related to fraud prevention, data security, and merchant onboarding practices.

Careful compliance practices and well-structured contractual arrangements are essential to mitigate these risks and maintain stable relationships with processors and financial institutions.

Contact Us

If you are negotiating an ISO agreement, planning to sell a merchant portfolio, or exploring the launch of your own ISO—whether retail or wholesale—legal guidance can help you structure your business, manage risk, and protect your rights.

Contact us at info@dilendorf.com to discuss your matter.

This article is provided for your convenience and does not constitute legal advice. The information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Prior results do not guarantee a similar outcome.

Other Blog Posts

ALL ARTICLES
Stripe Disputes: What Merchants Should Know
Shopify Suspended Account? Key Tips for Merchants
Rights of First Refusal (ROFR) in Merchant Portfolio Transfers
Who Owns the Merchant Portfolio? The Contract Decides
Negotiating Venue in Your ISO Agreement
Negotiating ISO Agreements: Key Tips for Agents & ISOs
Our website uses cookies. By continuing to use our site, you agree to our use of cookies in accordance with our Privacy Policy.