CFO checklist for payment processor due diligence

Finance teams get pulled into the payment processor decision after the operations team has already picked a vendor. That's backwards. The CFO's checklist isn't "is the rate competitive" — it's "if this processor freezes us tomorrow, what happens to receivables, chargebacks, and customer trust." Here's what the CFO should review before any signature.

1. Effective rate, not headline rate

Headline rate ignores assessments, PCI fee, batch fee, chargeback fee, retrieval fee, monthly minimum, statement fee, IRS reporting fee, and the roughly 6-9 other line items that show up on a real statement. Effective rate = total fees / total gross volume. Do this math from sample statements; do not trust the sales quote.

2. Reserve structure

Rolling vs upfront, percentage, window, release conditions, and — critically — the clause that lets the processor increase reserve unilaterally during the contract. Nearly every processor has this clause; the question is how predictable the triggers are and what notice you get. See reserve math.

3. Termination rights

Processor's right to terminate (usually 30 days, sometimes immediate for "risk"). Your right to terminate (often locked for 1-3 years with early termination fee). What happens to reserves on termination — specifically the clause allowing processor to hold funds for 180 days post-termination "to cover potential chargebacks" even if you have no disputes open.

4. Data portability

On termination, what customer tokenized card data do you get back, in what format, and how fast. PCI-compliant card vault migration is a real operational need if you ever switch. Many processors make token migration painful by policy, not technology. See switching playbook.

5. Chargeback responsibility and fees

Per-chargeback fee ($15-$35 typical). Retrieval request fee. Representment fee. What the processor's dispute desk does vs what you do. Who receives the compelling evidence and by when. Whether the processor's win rate data is shared with you.

6. Refund mechanics

Refund fee (some processors keep the processing fee on refunds; some return it). Refund timing to cardholder. Refund impact on reserve calculation. Batch refund processing vs per-transaction.

7. Settlement and payout timing

T+1, T+2, T+3. Weekend processing. Holiday processing. Daily minimum vs threshold. Whether the processor can delay payouts without notice and for how long. Audit actual settlement against contract for 60 days before signing extensions.

8. Audit access

API access to raw transaction data. Webhook reliability. Statement granularity (per-transaction detail or aggregates). Historical data access window (some processors delete detail after 13 months). Export formats (CSV, JSON, Parquet). Your ledger reconciliation work is entirely dependent on this.

9. SLA and uptime

Formal SLA language (many processors have none). Public status page history. RTO/RPO for processor outage. Failover to backup processor — which requires having a backup. This is where orchestration-layer providers differ from single-processor vendors. See Stripe comparison.

10. Compliance and security

PCI DSS attestation level for the processor. Your PCI scope under each integration pattern (SAQ A vs SAQ D). SOC 2 report access. Incident notification SLA. Data residency if relevant. See PCI for merchants.

11. Insurance and indemnification

Processor's E&O coverage. Cyber liability coverage. Indemnification clauses — who pays if the processor's breach exposes your customer data. These clauses are usually one-sided; CFOs should negotiate them.

12. Dispute resolution and governing law

Arbitration or court. Governing state. Class action waiver. Attorney fees clause. The processor's choice of New York or California law vs your state can materially affect your options in a dispute.

13. Economic upside sharing

Interchange optimization: are they passing you Level 2/Level 3 data benefits? Are they sharing surcharging upside if applicable? Durbin debit routing benefits? Most merchants don't ask and leave 10-30 bps on the table.

14. Reference checks

Ask for 3 references at similar volume and vertical. Call them. Ask specifically: "Have they ever frozen your account, raised your reserve unilaterally, or missed a payout?" The answers are the most informative data point in the whole process.

Multi-brand specific items

For operators with 3+ brands, additional line items: how sub-brand descriptors are assigned and controlled, whether chargebacks are cross-collateralized across brands (they usually are — a bad month on brand A can freeze brands B-F), and what reporting granularity exists per brand. This is where multi-brand playbook diverges from single-brand due diligence.

Red flags that should stop the deal

• No written SLA
• Reserve increase clause with no notice period
• Token migration explicitly excluded from contract
• No historical data access after termination
• Dispute win rate not shared
• "Special" rate that requires marketing testimonial
• References decline to be called
• Acquirer identity not disclosed (you have a right to know who the actual acquirer is)

What to do before signing

Run the 14-item checklist against the contract. Flag each item that's missing or one-sided. Redline the contract — most processors will accept 40-60% of reasonable redlines at deal close. Once signed, the redline leverage is gone.

For multi-brand portfolios, the due diligence also includes asking whether the processor supports parent account structures and cross-brand orchestration at all — most don't. That shifts the decision from "which single processor" to "which orchestration layer." Look at pricing or apply for a fit check.