Which of a credit-card fraud-management firm's services -- fraud scoring, managed review, chargeback, payment gateway, implementation, consulting, support -- are subject to NY sales tax?

Plain-English summary

The Petitioner sells merchants a suite of payment-related services. The Office of Counsel ruled on each, anchored to one principle: any ongoing service whose function is to detect or prevent theft or fraud is a "protective service" taxable under section 1105(c)(8).

Taxable protective services:
- Fraud management (its primary service): scoring the risk of credit-card fraud for specific transactions so the merchant can decide whether to accept a card. Whether the output is a number or a narrative, its purpose is to detect/prevent fraud -- taxable.
- Profile builder: an add-on that improves the fraud-management service and is sold only with it -- same status, taxable.
- Managed services: staff manually review flagged transactions for fraud -- the same protective function done by hand -- taxable.

Not taxable (data processing):
- Chargeback management: merely facilitates data processing of the chargeback workflow; it doesn't assess fraud risk -- not taxable.
- Payment gateway: a white-label gateway for processing card transactions; its telecommunication element is ancillary to the data-processing service of formatting data for the processors, and enabling secure transmission is not a protective service -- not taxable.

Follow-the-base-service:
- Implementation services: take on the tax status of the base service they're billed with -- taxable if tied to the protective service, nontaxable if tied to a nontaxable one.
- Customer support: likewise follows the base service -- support for a taxable protective service is taxable.

Consulting/training -- the nuanced one: consulting and training are generally not taxable, but they're taxable when (a) a compulsory component of a taxable protective service, (b) integral to it (e.g., advising how to set the risk parameters used in the fraud service), or (c) ongoing monitoring to reduce fraud. Only optional, non-ongoing advice that isn't specific to using the firm's taxable protective service stays nontaxable.

What this means for you

Fraud / risk / security vendors

If your service's job is to detect or prevent fraud or theft on an ongoing basis -- fraud scoring, transaction screening, manual fraud review -- it's a taxable protective service under 1105(c)(8). Automating it vs. doing it by hand doesn't change the answer.

Pure data processing stays nontaxable

Services that just move and format data without assessing risk -- chargeback workflow tools, payment gateways -- are nontaxable data processing, even when they involve secure transmission. Secure transmission alone is not a protective service.

Bundled add-ons, setup, and support follow the core

Add-ons, implementation, and customer support inherit the tax status of the base service they're sold with. Bill them against a taxable protective service and they're taxable.

Consulting: optional + non-ongoing + generic = nontaxable

Keep advisory work nontaxable by making it optional, non-ongoing, and not specific to operating your taxable protective service. Compulsory, integral, or ongoing-monitoring advice is taxable -- including advice on tuning the risk rules that drive the fraud service.

Common questions

Q: Is credit-card fraud scoring taxable in New York?
A: Yes -- detecting/preventing fraud is a protective service taxable under section 1105(c)(8), whether automated or done by manual review.

Q: Are my chargeback tool and payment gateway taxable?
A: No -- those are nontaxable data processing. Their telecom/secure-transmission elements are ancillary and aren't protective services.

Q: Is my setup fee or consulting taxable?
A: Implementation and support follow the base service. Consulting is nontaxable only if optional, non-ongoing, and not specific to using your taxable protective service; otherwise it's taxable.

Q: Can I rely on this opinion?
A: It binds the Department only as to the petitioner. Use it as guidance and confirm your own facts.

Citations and references

• Tax Law section 1105(c)(8) (sales tax on protective and detective services)
• Tax Law section 1105(c) (sales tax on enumerated services; consulting not enumerated)
• Tax Law section 1105(c)(1) (information services)
• 20 NYCRR section 527.1(b) (single charge for taxable and nontaxable items)

Source

• Landing page: https://www.tax.ny.gov/pubs_and_bulls/advisory_opinions/sales_ao_2015.htm
• Opinion: https://www.tax.ny.gov/pdf/advisory_opinions/sales/a15_16s.pdf

Original ruling text

New York State Department of Taxation and Finance

TSB-A-15(16)S
Sales Tax
May 7, 2015

Office of Counsel
Advisory Opinion Unit

STATE OF NEW YORK
COMMISSIONER OF TAXATION AND FINANCE
ADVISORY OPINION

PETITION NO. S140114A

The Department of Taxation and Finance received a Petition for Advisory Opinion from
REDACTED REDACTED REDACTED “Petitioner”. Petitioner asks whether various services
it provides are subject to sales tax.
We conclude that Petitioner’s main services (fraud management service, profile builder
service, and managed services) are subject to sales tax as protective services covered by Tax Law
§ 1105(c)(8). Petitioner’s charges for chargeback management service and payment gateway
service are not subject to sales tax. Petitioner’s implementation services, fraud consulting
services, and customer support services may be subject to sales tax depending on the specific
nature of the work and the terms under which the service is provided.
Facts
Petitioner provides a variety of services, described below, to its customers. In most
cases, the charges for each of Petitioner’s services are separately stated on invoices and other
documents.
Fraud Management Service

Petitioner’s primary service is a “fraud management” product offered to merchants that
are seeking information as to the fraud risks associated with the credit cards that are being used
to purchase goods from the merchants. Basically, Petitioner provides its customer, the merchant,
with information as to the risk of credit card fraud for a specific sales transaction, so that the
merchant can decide whether it should complete a proposed purchase to be made over the
Internet with a credit card. The information is in the form of a numeric value that is based on
parameters selected by its customer.
Petitioner’s customer submits to Petitioner, through the Internet, information about a
proposed credit card transaction, such as the credit card number, credit card expiration date,
issuing bank, credit card customer’s IP and email address, amount of purchase, and time of
purchase. Petitioner’s computer system contains historic data on its customer’s past sales
including those involving use of fraudulent credit cards and may also contain similar information
pertaining to other merchants that are Petitioner’s customers. Petitioner’s customer sets the rules
used to determine when a credit card should be rejected because of fraud or identity theft risk
and assigns the weight accorded each rule. That is, the rules reflect the customer’s specific risk

-2-

TSB-A-15(16)S
Sales Tax
May 7, 2015

tolerance in accepting a payment by credit card. Petitioner will, for an additional fee, help
develop more detailed and advanced fraud fighting strategies. The customer’s rules are inputted
to Petitioner’s computer system, which then employs proprietary software, customer data and
third party data to determine whether the risk of credit card fraud for a specific transaction is
greater than Petitioner’s customer deems acceptable.
Profile Builder Services
As part of the fraud management services provided by Petitioner, customers may also
purchase profile builder services. Under these services, Petitioner uses additional data provided
by the merchant to improve the quality of the fraud management service. This service can be
purchased only in conjunction with the purchase of Petitioner’s main fraud management service.
Managed Services
Managed Services involve manual review by Petitioner’s staff of credit card transactions.
Petitioner’s employees screen transactions that have been set aside for manual review based on
the merchant’s rules and risk tolerance to determine if there is a risk of fraud. Petitioner uses
third party information, such as physical address look-up sites, in its manual analysis of fraud
risk. It electronically communicates the results of its analysis to its customer. As part of this
service, Petitioner’s staff continually reviews the customer’s risk tolerance rules and
configurations for changes that can improve fraud screening. Petitioner’s customers have the
option of performing their own manual reviews of credit card transactions.
Implementation Services
Petitioner provides services to merchants to implement Petitioner’s services, and, solely
at the merchant’s instructions, to integrate Petitioner’s service with data verification products and
other services provided by third parties. Petitioner also creates rules to convert database entries
into a format that it can use. Depending on the third party, Petitioner’s implementation services
can be provided for free or for a charge, which may be paid by the merchant to the Petitioner or
paid by the merchant directly to the third party providing the service to the merchant. When
Petitioner implements its offerings for a merchant, the parties work together to develop an initial
set of fraud screening rules that the merchant can alter on an ongoing basis as fraud trends and
merchant needs change.
Fraud Consulting Services
Petitioner provides fraud consulting services to its customers. This service entails
certification and training of a merchant’s employees on fraud risk and management, periodic
performance reviews and optimization of Petitioner’s services as used by a customer, and risk
analysis specific to the merchant or the merchant’s industry.
Chargeback Management Services

-3-

TSB-A-15(16)S
Sales Tax
May 7, 2015

Chargeback management services allow Petitioner’s customers to manage the inquiry and
chargeback process for all major payment brands. In some instances, the charge billed to a credit
card account must be reversed due to fraud, an unintended charge, or failure of the delivery of
goods. A chargeback inquiry is initiated by the issuing bank of a credit card, which seeks to have
the charge reversed. The merchant then reviews the inquiry to determine if there is a dispute.
Petitioner’s chargeback management services increase the efficiency of the review of these
inquiries by allowing a merchant to review data related to an inquiry quickly and to automate
parts of the review of the inquiry. Credit card processors transmit chargeback inquiries and the
information related to those inquiries to Petitioner. Merchants then use Petitioner’s services to
access the inquiry information over the Internet and determine whether to accept the inquiry and
then respond accordingly. The merchants typically review each inquiry individually and make a
determination manually. Once the merchant has responded, Petitioner transmits the information
over the Internet back to the credit card processors.
Payment Gateway Services
These services provide merchants with a single, reliable and secure end-to-end solution
for global payment processing of all major payment brands. The gateway is hosted by a third
party and provided by Petitioner to its customers as a “white-label” offering (i.e., the gateway is
the third party’s but appears to merchants to be the Petitioner’s gateway). The payment gateway
services allow merchants to authorize, approve, void, and reverse credit card purchases made by
various credit card brands. Petitioner accesses the services over the Internet to complete an
initial set up. Petitioner can also generate reports based on data used in the processing, but the
merchants have very little interaction with the services on a daily basis. Once the configuration
is complete, the merchant sends data over the Internet to Petitioner regarding the merchant’s
credit card transactions. A third party routes and exchanges this information on behalf of
Petitioner with credit card processors over the Internet to process the credit card transactions.
Petitioner ensures that the data sent by merchants is compatible with the data and databases used
by the credit card processors.
Customer Support Services
Petitioner provides customer support services for its offerings. Customers may pay
different fees for different tiers of service. For example, tiers of service with higher fees may
offer longer hours of live support.
Analysis
Tax Law §1105(c)(8) imposes sales tax on the receipts for
[p]rotective and detective services, including, but not limited
to, all services provided by or through alarm or protective
systems of every nature, including, but not limited to, protection against burglary, theft, fire, water damage or any

-4-

TSB-A-15(16)S
Sales Tax
May 7, 2015

malfunction of industrial processes or any other malfunction
of or damage to property or injury to persons,…
Under the rules of statutory construction, words and phrases used in a statute generally should be
given their ordinary meaning and a tax law should be interpreted as an ordinary person reading it
would interpret it. People v. Cruz, 48 NY2d 419 (1979); SIN, Inc. v. Department of Finance of
City of New York, 126 AD2d 339 (1st Dept., 1987); McKinney’s Statutes §3232. Thus,
protective services and protective systems of every nature should include services intended to
protect the person or entity purchasing them from danger or risk. In this instance, Petitioner is
providing a protective service subject to sales tax under Tax Law § 1105(c)(8) when it provides
a merchant with information or advice pertaining to the risk of credit card fraud for specific
transactions. Any ongoing service whose function is to detect or prevent theft or fraud is a
protective service for purposes of § 1105(c)(8). Fraud detection or prevention includes providing
a risk assessment of credit card fraud for specific transactions. Petitioner’s receipts for its
protective services are subject to New York sales tax if its customer is located in New York.
The tax treatment of the Petitioner’s specific services is set forth below.
Fraud Management Service

Petitioner’s primary fraud management service is subject to sales tax as a protective
service. Petitioner provides under this service a risk assessment of credit card fraud for specific
transactions. Irrespective of whether the risk analysis consists of an explication of the fraud risk
or just a numeric value, the purpose of the analysis is to detect potential fraudulent use of credit
cards and thereby prevent Petitioner’s customer from being a victim of fraud.
Profile Builder Services
Petitioner’s profile builder service is subject to sales tax as a protective service. It is an
add-on or a supplemental component of Petitioner’s fraud management service, intended to
improve the quality of the fraud management service. It is only available to purchasers of the
fraud management service. Therefore, profile builder service has the same sales tax status as the
fraud management service.
Managed Services
Petitioner’s managed service is subject to sales tax as a protective service. Basically,
Petitioner performs manually the same type of service that its primary fraud management service
performs automatically solely through the use of computer analysis. Petitioner provides under
this service a risk assessment of credit card fraud for specific transactions. Therefore, the service
qualifies as a protective service for purposes of sales tax.
Implementation Services

-5-

TSB-A-15(16)S
Sales Tax
May 7, 2015

The sales tax status of Petitioner’s implementation services depends upon the sales tax
status of Petitioner’s other service that is being integrated with a third party service. If the
implementation fee is billed to the customer of the base service, the fee is a component or
expense of the base service being provided by Petitioner; therefore, the implementation service
will have the same sales tax status as the base service. Cf TSB-A-89(38). Thus, if Petitioner’s
other service is subject to sales tax as a protective service and the customer of this other service
pays the implementation fee to Petitioner, the fee is subject to sales tax. For example, if
Petitioner provides implementation service in conjunction with its fraud management service, the
implementation fee is subject to sales tax. On the other hand, the implementation fee is not
subject to sales tax if it is provided in conjunction with another service sold by Petitioner that is
not subject to sales tax.
Fraud Consulting Services
In general, consulting and training services are not subject to sales tax. See TSB-A92(31)S; TSB-A-09(33)S. This general rule applies to security consulting services. See TSB-A90(2)S. However, this general rule is subject to several qualifications. Any charge for consulting
or training that is a compulsory component of a taxable protective service is itself subject to sales
tax under Tax Law § 1105(c)(8). See TSB-A-10(32)S; TSB-A-07(28)S, see also TSB-A03(11)S. That is, consulting or training services are not subject to sales tax only if they are
optional services. In addition, services that are denominated as consulting may be subject to sales
tax if they are integral to a taxable protective service. For example, if petitioner charges a
customer for advice on developing or modifying the risk parameters that are used in the
provision of Petitioner’s main fraud management service, the charge for advice itself would
qualify as protective service subject to sales tax. Finally, a service provided on an ongoing basis
to regularly monitor a customer’s business in order to identify ways to reduce fraud qualifies as a
protective service even if the charge for the service is denominated as consulting. In summary,
optional charges for advising a customer on a non-ongoing basis on how to reduce fraud are not
subject to sales tax, provided that the advice is not specific as to how to use a taxable protective
service provided by Petitioner.
Chargeback Management Services
The chargeback management service is not subject to sales tax. The service merely
facilitates data processing related to the chargeback process. Petitioner does not provide an
assessment of fraud risk or otherwise detect or prevent fraud as part of this service.
Payment Gateway Services
The Payment Gateway service is not subject to sales tax. While this service does involve
telecommunications, which might be subject to sales tax under Tax Law §1195(h)(1) this
telecommunication component is ancillary to the data processing service that Petitioner provides
in ensuring that the data the customer is transmitting is in a very specific format that will be
intelligible to the recipient.

TSB-A-15(16)S
Sales Tax
May 7, 2015

-6-

Payment Gateway service is not subject to sales tax under Tax Law § 1105(c)(8) because
the enabling of secured transmissions is not a protective service.
Customer Support Services
The sales tax status of Petitioner’s customer support services depends upon the sales tax
status of Petitioner’s other service for which customer support is being provided. Providing
guidance on an ongoing basis on how to maximize use of a protective service is itself a
component of the protective service. Therefore, customer support services provided in
conjunction with taxable protective services are themselves subject to sales tax under Tax Law §
1105(c)(8).

DATED: May 7, 2015

/S/
DEBORAH R. LIEBMAN
Deputy Counsel

NOTE:

An Advisory Opinion is issued at the request of a person or entity. It is limited to the
facts set forth therein and is binding on the Department only with respect to the
person or entity to whom it is issued and only if the person or entity fully and
accurately describes all relevant facts. An Advisory Opinion is based on the law,
regulations, and Department policies in effect as of the date the Opinion is issued or
for the specific time period at issue in the Opinion. The information provided in this
document does not cover every situation and is not intended to replace the law or
change its meaning.