Payment Facilitators and PCI: “Everybody Has to Start Somewhere”

Lock in space-like setting

An organization’s PCI scope – the components of its business that need to be included in an assessment – can have a dramatic impact on the costs for that company to comply with the security standard’s requirements.

According to Chris Bucolo, that’s the fundamental reason payment facilitators need to “engage early.”

Bucolo, vice president of market strategy for ControlScan, told the audience at PF WORLD 2018 that working with trusted advisors – including a qualified security assessor (QSA) – early in the business planning process can help organizations make fundamental decisions that impact their scope.

Bucolo emphasized that compliance with the PCI data security standard requires a holistic approach. He named three elements to PCI security: “It’s the software, it’s the hardware, and it’s the overall environment and the merchant environment that it’s being used in,” he said.

Companies often make the mistake of thinking they are PCI compliant because they have compliant systems or applications, he said, without understanding that they need to evaluate the environment where those systems operate.

Bucolo also advised the audience that card brands appear to be expecting more from payment facilitators when it comes to submerchant compliance with PCI.

“It used to be your processor would just say, ‘try to educate them.’ Now they’re saying, ‘are you educating them?’ and it’s moving into ‘are you helping them get compliant?’” he said.

For payment facilitators, PCI compliance efforts begin with a gap analysis, which he reassured the audience does not necessarily mean that they will find “gaping holes” in their systems.

“It’s more about getting you ready by understanding what’s missing,” he said.

Most organizations have only a fraction of the requirements in place, he said. So, companies should not view an initial lack of compliance as a failure when they’re beginning the process of assessing their PCI-related needs.

“Everybody has to start somewhere,” he said.

Watch for additional insights from around the payment facilitator ecosystem as we continue to share video from PF WORLD 2018 in future weeks.