Many companies negotiate contracts containing merchant of record designations without fully appreciating the significance of that designation from a privacy and data security perspective.

For purposes of this article, the merchant of record is the party that both contracts directly with the payment processor and holds the direct consumer relationship for the transaction. The MoR is the business the consumer knows, interacts with, and sees on the cardholder billing statement. This is the traditional direct-merchant model, distinct from platform arrangements where the SaaS provider or marketplace may hold the processor contract and billing-statement presence while the underlying store holds the consumer relationship.

Below is a summary of the key risks and contractual safeguards tied to merchant-of-record status.

The merchant of record is typically viewed by consumers as the party responsible for the transaction. As a result, the merchant of record often bears the practical burden of making privacy disclosures, obtaining required consents, responding to privacy complaints, and addressing customer concerns relating to transaction data.

This issue frequently arises in SaaS and platform businesses partnering with tech-centric processors and payment facilitators who are looking to leverage mass amounts of transaction data.

A common assumption is that the processor is acting only as a service provider for the merchant of record. That assumption overlooks important legal and operational complexities. Payment processors frequently act as independent controllers for certain payment-ecosystem functions, including legal and regulatory compliance, fraud prevention, security, and card-brand or network obligations. The more significant issue for the merchant of record is whether the agreement also permits the processor to use identifiable transaction data for broader purposes, such as analytics, benchmarking, machine learning, or product-improvement activities that are not necessary to provide the contracted payment services or satisfy those associated obligations.

That distinction matters because the consumer generally does not know who the processor is, does not review the processor’s privacy terms, and is instead relying on the merchant of record’s privacy disclosures and transaction experience.

Key issues when a processor independently uses identifiable transaction data beyond completing the transaction and satisfying fraud-prevention, security, card-brand, and regulatory obligations:

• disclosures relating to those independent uses;
• obtaining legally required consents, where applicable;
• compliance obligations associated with those uses; and
• liability arising from incidents involving data retained or used for those independent purposes.

Merchants of record should also carefully evaluate whether broader processor uses of identifiable transaction data should be contractually restricted or permitted only if the data is aggregated and anonymized.

The merchant of record designation also has important implications for breach allocation and incident response.

Because the merchant of record is often viewed as the responsible transaction party, agreements should distinguish between incidents arising from:

• compromise of MoR-controlled credentials or systems;
• compromise of the processor’s infrastructure or platform; and
• compromise of transaction data independently retained or used by the processor for purposes beyond providing the contracted services.

Those incidents do not present the same operational or legal risk profile and should not automatically carry the same allocation of liability, indemnity obligations, or regulatory responsibility. Regulatory obligations may apply independently of contractual allocation.

The practical takeaway is straightforward:

• carefully review merchant of record provisions together with the processor’s Data Processing Agreement (DPA) and data-use provisions;
• identify whether the processor is permitted to use identifiable transaction data beyond providing the services and satisfying associated legal, regulatory, fraud-prevention, security, and card-brand obligations;
• contractually restrict broader uses of identifiable transaction data where commercially feasible;
• require data aggregation and anonymization where appropriate for broader analytics or product-improvement uses; and
• allocate privacy, breach, and compliance responsibility based on which party controlled the compromised system, retained the data, and benefited from the use of the data.

Merchant of record status is a critical commercial payments consideration throughout the transaction relationship, with significant privacy and data security implications that merit careful attention.

If your business is negotiating a merchant of record arrangement, experienced counsel can help ensure your contracts align with your risk tolerance and regulatory obligations.