Learn about payments and the payment facilitator model from our team of experts
How to Become a Payfac: Steps on the Payfac Journey
For many software companies, becoming a payment facilitator, or Payfac, is an opportunity to benefit from a new revenue stream and gain more control over the customer experience. But because payments are outside the typical software company’s core offerings and expertise, bringing them in-house can seem daunting. What does it really take to become a Payfac?
Every company will have a slightly different journey to being a Payfac, depending on their market and what they hope to accomplish, as well as how their systems are already set up. But the needs and requirements for Payfacs are well defined. Outlined below are the steps most companies will need to take.
Every journey begins with an assessment phase to decide whether becoming a Payfac is truly for you. These steps will help you make that determination.
- Conduct a readiness assessment
- Determine any licenses you will need for your specific situation
- Model the business case
- Assess your financial risks
- Assess your merchant verticals
Getting Started / Setting Up
Once you’ve decided to become a Payfac, the process typically takes six to 12 months, depending on how your system is set up to begin with. While not a comprehensive guide for every situation, the following steps are the typical actions that most Payfacs will need to take. They are explained in further detail below.
- Choose a sponsoring acquirer and register with them as a Payfac
- Obtain PCI DSS Level 1 certification
- Obtain Payments Institution (PI) or Electronic Money Institution (EMI) license if needed (Europe-specific)
- Build your platform
- Establish connectivity to the acquirer’s systems
- Set up merchant management systems
- Set up payment processing
- Choose a terminal solution
Choose a sponsoring acquirer and register with them as a Payfac
Every Payfac must register with a sponsoring acquirer. Before agreeing to sponsor you, the acquirer will conduct an underwriting process, which includes checking to make sure your business is legal and analyzing your financial situation.
Once these requirements are satisfied, the sponsoring acquirer then registers your business as a payment facilitator. After successful registration, your sponsoring acquirer will provide you with a unique Payfac identifier and grant your business a Master ID (MID) account. You must have written confirmation of your registration before you start operating.
After you’re registered as a Payfac, your sponsoring acquirer will review your operations annually.
Obtain PCI DSS Level 1 certification
PCI DSS certification ensures the security of the sensitive data that passes through the payments system. PCI covers storing, transmitting and processing card data.
All entities within the payments system must be PCI compliant. What that means for each individual business depends upon their processing amounts and their exposure to cardholder data.
The process to become PCI certified typically takes about three to five months.
Obtain PI or EMI license if needed
PI or EMI licenses are Europe-specific. They allow entities to provide merchant services and handle and initiate payments. Other local licenses might apply, depending on where you plan to operate.
Build your platform
When building your platform, you don’t necessarily have to build the systems you need yourself. You can leverage the solutions that are widely available from third-party vendors.
Establish connectivity to the acquirer’s systems
Operating as a Payfac requires a two-way information flow with the acquirer. As a Payfac, you push transaction information to the acquirer. The acquirer also has access to your system to oversee your performance and compliance status.
Set up merchant management systems
Merchant management systems include any systems you need to interact with your merchants, including dashboards, payout systems and dispute management systems to deal with chargebacks.
Set up payment processing
Payfacs use their acquirer’s processor to process the payments that cross their platform. If you’ve contracted with more than one acquirer, you’ll use their respective processors for different submerchants.
Choose a terminal solution
Every Payfac must determine how their submerchants’ payments will enter the system. Payfacs with a focus on verticals such as restaurants / brick-and-mortar retail will need to identify a hardware terminal solution. Payfacs that are focused on online / ecommerce verticals will need to provide their submerchants with cloud or online portal-based solutions.
Once you’re up and running as a Payfac, you need to be prepared to manage your responsibilities on an ongoing basis. These include:
- Perform due diligence on your submerchants
- Manage ongoing submerchant operations
- Pay your submerchants
- Test and monitor your systems
- Report to your acquirer
- Maintain PCI compliance
Perform due diligence on your submerchants
Every Payfac is required to conduct know-your-customer (KYC) checks to verify the legitimacy of the merchants you are taking under your umbrella and to help identify high-risk merchants before taking them on board. KYC processes include checking the following aspects of each business:
- Business structure
- Financial situation (including fraud history, reputation, any needed compliance)
- Monthly payments volumes
- Average ticket sizes
- Consistency of these parameters with the business’s merchant category code (MCC), which indicates the type of business it is in
- Web pages, which would outline the products sold, delivery and return policy, terms and conditions
The card networks also require Payfacs to check their merchant applicants against the Member Alert to Control High Risk Merchants (MATCH) report to ensure that they have not been terminated by other payments entities before processing any transactions.
Manage ongoing submerchant operations
First, Payfacs must underwrite new merchants who are coming on board. This includes conducting basic checks when the submerchant initially signs up as well as conducting ongoing checks as the submerchants grow and approach new payment volume tiers.
Ongoing operations also include:
- Payment processing under your unique MID
- Real-time risk monitoring, including any changes in average ticket, delayed delivery, or transaction anomalies based on MCC
- Fraud monitoring, which means preventing fraud by blocking or proactively reviewing suspicious transactions
- Managing chargebacks on behalf of submerchants by submitting evidence to card networks
- Mitigating risks as needed according to the situation, perhaps by holding reserves or applying processing caps
Pay your submerchants
Payfacs must manage the payment of funds out to their submerchants, ensuring that every submerchant is paid on time.
Test and monitor your systems
As a Payfac, it’s important to monitor and test your systems on an ongoing basis and refine or adjust them as needed.
Report to your acquirer
You must be prepared to report submerchant activity to your sponsoring acquirer on a quarterly basis or any time it is requested.
Maintain PCI compliance
As a Payfac, you must renew your PCI license on an annual basis.
When considering becoming a Payfac, it’s important to remember that this is a journey many other software companies have taken before, and there are many resources available to support you along the way. Consult our experts at Infinicept for more information on starting your Payfac journey.