Demystifying payfacs

A guide to payment facilitation for platforms and marketplaces.

Introduction

Technology has fundamentally changed how businesses, acquiring banks, and card networks work together. The rise of software platforms has accelerated the change: increasingly, these platforms are connecting buyers and sellers in new ways, adding payments functionality, and creating new purchase experiences.

In this guide, we’ll explore what a payment facilitator (often abbreviated as payfac or PF) is, identify whether your business needs to become a payfac to achieve your goals, and examine the considerations and costs of becoming a registered payfac.

If you have any questions or would like to review your specific platform and business model with Stripe, just get in touch — we’d be happy to help.

What is a payment facilitator?

Today, many platforms and marketplaces help merchants accept payments by providing online services for companies of all sizes. Payments functionality has become integral for these platforms to differentiate their product and create stickiness, and merchants using the platform no longer need to establish direct relationships with acquiring banks or payment gateways.

Below are some of the most common types of platforms and marketplaces:

  • E-commerce: Platforms, such as Shopify and Squarespace, which help businesses or individuals sell physical goods online.
  • Invoicing: Platforms, like Xero and FreshBooks, which help businesses invoice their clients.
  • Fundraising: Platforms, such as Blackbaud and Kindrid, which help nonprofits and charities raise money or collect donations.
  • Booking: Platforms, like MINDBODY and FareHarbor, which facilitate the scheduling of appointments.
  • Travel and ticketing: Marketplaces, like Airbnb and Victor, which help connect individuals with accommodations and experiences.
  • Retail: Marketplaces, such as Tradesy, which help individuals sell to each other.
  • On-demand services: A range of services falls into this category, including ride-sharing (e.g., Lyft, Uber), restaurant delivery (e.g., Deliveroo, DoorDash), and professional services (e.g., Handy).
  • Other: We’re constantly seeing platforms emerge that are either hybrids or something entirely new, supporting services like online health, pharmacy delivery—even horse rentals.

While each type of platform or marketplace is different, many have made payments a core part of the customer experience. Adding payments capabilities is a relatively new way to differentiate service offerings and brands.

Traditionally, adding payments functionality required a platform or marketplace to register and maintain status as a payment facilitator with the card networks (e.g., Visa or Mastercard) since it was seen as controlling the flow of funds (i.e., how money moves between buyers and sellers).

Payment facilitation operates at the nexus of banks, card networks, and regulatory organizations. All three share a responsibility to ensure the security and soundness of the payments ecosystem, and payment facilitators are a unique operating category with associated requirements.

In general, payment facilitators fall into three categories:

  1. Commerce platform providers like Stripe, which enable digital transactions through innovative or enhanced technology on a white label basis. The platform owns payment flows and is responsible for paying out funds to its merchants (referred to as sub-merchants) directly.
  2. Independent software vendors — or ISVs — that white label another solution. The ISV directly offers payment solutions but does not control the underlying technology.
  3. Marketplaces or platforms that aggregate a set of sub-merchants, generally serve as the merchant of record, and control the flow of funds and payouts to sub-merchants.

Even though there are a variety of models, payfacs are actually quite rare. (There are only a few hundred registered payfacs in the US.) Today, it’s easy to add the payments functionality that most platforms and marketplaces require without becoming a payfac—by using a solution like Stripe Connect.

History of payfacs

The payfac model was popularized in the late 1990s as a way to help small- and medium-size businesses accept online payments more easily. Historically, a bank’s onboarding requirements catered to larger businesses that could manage the complex, costly, and time-consuming legacy setup processes. Essentially, these companies had to become experts in payments while also building their core business and product.

The payfac model emerged to give companies that specialized in payments the ability to reduce the complexity of getting started with online payments and offer services to a broader array of businesses, allowing them to focus on their core competencies.

The payfac takes on setting up and managing multiple relationships and systems—the ones the merchant would otherwise need to establish and maintain with each individual party. The payfac takes on setting up and managing multiple relationships and systems—the ones the merchant would otherwise need to establish and maintain with each individual party.

Payfacs vs. ISOs

For historical context, the card networks (e.g., Visa and Mastercard) created the concept of a third-party agent (TPA), which is a category that broadly includes independent sales organizations (ISOs), payfacs, and other businesses that provide payment services to merchants. The card networks require banks to register these TPAs to ensure the following:

  • Merchants and TPAs adhere to the card networks’ rules.
  • Merchants are properly underwritten and monitored.
  • Settlement, funding, and reserve requirements are met.
  • Payment card data collection and storage meet security requirements.

ISOs often come up in conversations related to payfacs, but they’re not the same thing. Here’s how to distinguish a payfac from an ISO:

Payfac ISO
Usually the merchant of record Not always the merchant of record
Onboards sub-merchants directly Outsources onboarding
Controls the flow of funds Does not control the flow of funds
Pays out funds to sub-merchants Relies on acquiring bank to pay out funds to sub-merchants
Responsible for sub-merchant underwriting (i.e., compliance, risk, etc.) Acquiring bank responsible for underwriting (i.e., compliance, risk, etc.)
Skews toward online payments and e-commerce Skews toward legacy or offline payments

In short, the payfac controls the flow of funds and assumes responsibility for paying out funds to merchants directly, which has stricter verification and security requirements and is subject to additional compliance regulations. An ISO serves as an extension of the acquiring bank and provides merchant processing services on the acquirer’s behalf and does not control the flow of funds.

What do payfacs do?

Payfacs open a merchant bank account and receive a merchant ID (MID) to acquire and aggregate payments for a group of smaller merchants, typically called sub-merchants. Payfacs have embedded payment systems and register their master MID with an acquiring bank. Sub-merchants, on the other hand, are not required to register their unique MIDs—instead, transactions are aggregated under the payfac’s master MID. This is meant to reduce the complexity that sub-merchants would face setting up online payments on their own by eliminating the need for them to establish and maintain relationships with an acquiring bank, payment gateway, and other service providers.

Payfacs simplify the online payments setup for sub-merchants. Payfacs simplify the online payments setup for sub-merchants.

What are payfacs responsible for?

Financial partners, card networks, regulators, and acquirers are most concerned with the following when it comes to payment facilitation:

  • Controlling who is on the platform: Setting up the right onboarding processes and building trust in those processes.
  • Meeting KYC, AML, and OFAC compliance requirements: Ensuring sub-merchants are verified to control for money laundering, terrorist financing, and other risks and meeting Know Your Customer (KYC), anti-money laundering (AML), and the US Office of Foreign Asset Control (OFAC) requirements. If operating internationally, there are many other regulatory bodies to consider.
  • Auditing account activity on the platform: Putting controls in place to track and mitigate high-risk financial activity on an ongoing basis.
  • Being PCI compliant: Ensuring the platform is Payment Card Industry (PCI) compliant and all sub-merchants are accepting payments from customers in a compliant way. To learn more, review our guide to PCI compliance.

Though these four categories are clear, it’s difficult to find a consistent description of a payfac’s granular responsibilities. Even the card networks have their own nuanced definitions.

Visa defines a payment facilitator as a third-party agent that may do the following:

  • Sign a merchant acceptance agreement on behalf of an acquirer.
  • Receive settlement of transaction proceeds from an acquirer, on behalf of a sub-merchant.

Mastercard defines a payment facilitator as a service provider, registered by an acquiring bank (merchant processor, to be more specific), to facilitate transactions on behalf of sub-merchants. Under Mastercard’s rules, a payfac has several responsibilities:

  • Conduct due diligence on each sub-merchant.
  • Monitor all sub-merchant activity to ensure compliance with Mastercard’s standards.
  • Maintain PCI compliance.
  • Only use settlement funds to pay sub-merchants.
  • If a sub-merchant exceeds 100.000 CHF in annual Mastercard transaction volume, the sub-merchant is required to enter into a direct merchant agreement with the acquiring bank.

Each acquiring bank also has different rules for payfacs, which form a complex web of requirements between card networks and banks. Combined, think of a payfac as an entity that handles the relationships with card networks, sub-merchant onboarding, and payment services for merchants. The payfac directly handles paying out funds to sub-merchants.

Most of the requirements for payfacs are enforced by the card networks and acquiring banks. However, regional differences influence how stringently card networks and banks enforce these requirements in the Americas, Europe, and Asia. For example, Visa and Visa Europe are two different entities and may apply rules differently.

How to become a payfac

Becoming a payfac requires building and investing in multiple systems for payment processing, sub-merchant onboarding, compliance, risk management, payouts, and more. Payfacs also have ongoing requirements to maintain their good standing and credit requirements with acquiring banks and card networks.

The Electronic Transactions Association (an advisory organization with members from banks, card networks, and payment processors, also referred to as ETA) strongly recommends engaging industry experts and legal counsel to ensure adherence to laws and guidance that span card networks, acquiring banks, state and federal governments, and global regulatory organizations (e.g., OFAC).

Set up payment systems:

  • Find an acquiring bank: Prospective payfacs approach acquirers with a business plan in order to establish a partnership and get sponsored to facilitate payments for sub-merchants.
  • Integrate payment gateways: Payment gateways provide functionality for sub-merchants to process online payments.
  • Obtain Level 1 PCI DSS certification: To ensure the security of sensitive data, the payfac is required to be Payment Card Industry Data Security Standard (known as PCI DSS) certified, which may also include Europay, Mastercard, and Visa (EMV or chip) certification if the payfac supports in-person transactions.
  • Build merchant management: This includes merchant dashboards, payout systems, and dispute management systems to handle chargebacks.

Set up merchant onboarding and compliance systems:

  • Create underwriting policies and systems to ensure only lawful businesses that comply with card network and acquirer rules are onboarded. The payfac’s system and employees will need to do the following:
    • Verify identities of sub-merchants, including KYC, ownership structure, and business details.
    • Check OFAC and MATCH lists for sub-merchants before onboarding; Mastercard manages the Member Alert to Control High-Risk Merchants (MATCH) list.
    • Assess sub-merchant’s financial health and risk, including fraud, credit, financial, compliance, regulatory, or reputational risk.
  • To manage and mitigate risk, build systems and internal policies to conduct due diligence. The payfac’s system and employees will need to do the following:
    • Comply with AML laws by encoding rules and requirements from card networks and regulatory organizations.
    • Identify suspicious activities (including indicators of terrorist financing).
    • File Suspicious Activity Reports (known as SARs) with the Financial Crimes Enforcement Network (FinCEN) or acquirer, as required.
  • Submit registrations and apply for any additional required licenses:
    • Register as a payfac with each card network.
    • Apply for money transmitter licenses (MTLs) in each state the payfac operates in, if required to support certain fund flows.
    • Apply for regional licenses if required. (Brazil, Malaysia, and the EU—to name a few—require separate licenses.)

Manage ongoing processes and systems:

  • Onboard and underwrite each sub-merchant: Verify the identity, business model, and owner information for each sub-merchant. Set up payment processing for sub-merchants.
  • Monitor risk and update risk systems: Perform due diligence, monitor sub-merchant activity on an ongoing basis, and mitigate risk as needed (e.g., apply processing caps, delayed funding, or reserves).
  • Prevent and block fraud: Proactively prevent fraud on the platform and block or review suspicious transactions. Best practices include using adaptive machine learning for fraud detection. Submit evidence to card networks when needed for chargebacks on behalf of sub-merchants.
  • Pay out funds to sub-merchants: Ensure sub-merchants are paid their earnings on time.
  • Reporting and reconciliation: Generate and distribute 1099s or other tax forms as needed annually.
  • Maintain PCI DSS compliance: Ensure the platform remains compliant even as data flows and customer experiences evolve. Note that some card networks may require payfacs to submit quarterly or annual reports or complete an annual on-site assessment to validate ongoing compliance.
  • Renew payfac registration and licenses: Re-register as a payfac with card networks annually, and update or renew MTLs on the required cadence.

Global expansion

If the platform needs to operate internationally and support sub-merchants in other regions, partnerships with local acquirers, gateways, and other service providers may be necessary. In general, platforms build local systems from scratch in order to adapt to local requirements or support multiple regions.

Governments and regulators may also have different requirements based on geography. The new European payments law, known as the second Payment Services Directive or PSD2, recently introduced major changes that significantly impact multisided platforms, or marketplace businesses, in Europe. Many of these businesses can no longer rely on an exemption from licensing that they availed of previously. Platforms that control the flow of funds need to acquire an e-money license, which can take months and millions of euros to obtain.

Adapt to changing landscapes

The definition of a payment facilitator is still evolving—so is its role. (The Electronic Transactions Association, or ETA, published a 73-page report with new guidelines in September 2018.) Any investments made now to become a payfac will require updates over time to meet changing regulations and requirements.

The technology landscape is evolving as well: Consider that different providers and vendors may be required to offer solutions for local payment methods (like SEPA, Alipay, or iDEAL), multiple currencies, mobile payments, in-person transactions, billing systems for invoicing or subscription payments, and much more.

The cost of becoming a payfac

Setup

Category Description Minimum time required Approximate minimum cost
Payment systems setup
Acquirer sponsorship

Put a strong business plan in place and potentially hire a consultant to assist

Hire a payments attorney

3–6 months Varies by acquirer
Payment gateways Negotiate, contract with, and integrate payment gateways 1–4 months Varies by gateway, but typically a combination of fixed and per transaction fees
PCI compliance (and EMV certification, if needed) Validate Level 1 PCI DSS compliance (includes on-site auditor visit) 3–5 months 50.000 CHF–500.000 CHF
Merchant management system

Build merchant dashboards

Build merchant payout systems

Build dispute management systems for different card networks

6–12+ months 600.000 CHF+ (minimum 4 FTEs at 150.000 CHF per year)
Merchant onboarding and compliance systems setup
Compliance program

Encode card network requirements

Build data retention and privacy systems

2–8 months 300.000 CHF+ (minimum 2 FTEs at 150.000 CHF per year)
Underwriting policies

Integrate with ID verification providers

Build risk-scoring systems

3–12 months 500.000 CHF+
Optionally, use a third-party vendor:
Third-party vendor Select, contract with, and integrate third-party vendor systems 3–6 months 150.000 CHF–250.000 CHF per year
Registrations and obtaining licenses
License fees and regulatory registrations

Initial fees paid to Visa (5.000 CHF) and Mastercard (5.000 CHF)

MTLs required when payfac controls fund flows (150.000 CHF/year for approximately 3 years to set up 50 states = 450.000 CHF minimum)

International licenses (e.g., EU e-money license) if needed

6–18 months

Network fees: 10.000 CHF

US and international licenses: >1.000.000 CHF

Ongoing

Category Description Approximate minimum cost
Merchant onboarding and monitoring

One-time fees include 1 CHF–2 CHF for onboarding and initial risk review and 2 CHF–3 CHF for ID verification

Ongoing monitoring system

5 CHF per month per account
Risk monitoring and mitigation

Due diligence and risk management to ensure all sub-merchants stay in compliance

Update risk systems on regular cadence

Maintain platform-level balances or reserves on sub-merchants to protect against credit risk

250.000 CHF+ per year (1 FTE at 150.000 CHF per year and 1 risk analyst at 100.000 CHF per year)
Fraud prevention

Operate or integrate with third-party systems to prevent and block fraud

0,04 CHF–0,10 CHF per transaction
Chargeback management Handle chargeback and evidence submission 15 CHF per dispute
Payouts and funds routing Ensure merchants get paid out on the right schedule 0,25 CHF per transaction
Reporting and reconciliation

Generate and distribute 1099s or other tax forms as required (1099s cost as little as 5 CHF per form to generate, but can incur up to 250 CHF in fees if filed incorrectly)

Run platform-level financial close processes and financial audits as needed

5 CHF–255 CHF per form

100.000 CHF per year (1 finance FTE)

Annual PCI validation Validate Level 1 PCI DSS compliance every year and re-validate any time changes are made to payment flows throughout the year 200.000 CHF+ per year
Renew payfac registration (and other licenses, if needed)

Re-register as a payfac with Visa and Mastercard (5.000 CHF per year each)

Renew money transmission licenses every 2 years

10.000 CHF+ per year

Alternatives to becoming a payfac

Becoming a payfac requires significant time and monetary investment. The good news is that for most business models, including platforms that want to help their users accept payments, becoming a payfac is not necessary. Platforms that use Stripe Connect, which is a product built specifically for platforms and marketplaces, stay outside the flow of funds while still providing customized experiences to sub-merchants for accepting payments.

Stripe Connect is API-first and lets platforms design the best experience for their customers. Platforms get the ability to do the following:

  • Fully customize onboarding flows or leverage prebuilt UI components for onboarding.
  • Set payout timing.
  • Set pricing and fees.
  • Manage complex money movement.
  • Integrate and unify financial reporting.
  • Scale the business globally without having to establish local bank accounts and company entities in each market.

Meanwhile, Stripe takes on the payment processing responsibility and handles the flow of funds, which simplifies not only the integration work required but also the operational overhead of managing payments. Stripe will even provide free, 24×7 payments support to the platform’s users.

Today, there are only a few scenarios where becoming or staying a payfac is required for platforms and marketplaces:

  • If the platform needs to hold money in escrow or for an extended period of time.
  • If the platform has set up specific fund flows that require money transmission licenses in certain states.
  • If the platform has existing legacy systems that require registering as a payfac.

Even in these cases, simple workarounds could allow the platform to use Stripe:

  • Determine if funds really need to be held for more than 30 days or if there are other ways to manage user funds.
  • Consider similar fund flows that accomplish the platform’s goals without requiring money transmission licenses, or use Stripe Connect to remain outside the flow of funds.

Even though there are a lot of considerations, costs, and risks to becoming a payfac, there are a lot of benefits to adding payments to a platform or marketplace. Payments functionality can help differentiate the platform in competitive markets and improve the experience for sub-merchants.

If you’d like to learn more about Stripe Connect, visit our website. If you’d like to talk to our team about your specific use case and brainstorm approaches, please get in touch.

Back to guides
You’re viewing our website for Switzerland, but it looks like you’re in the United States. Switch to the United States site