PCI Compliance for Payment Facilitators
When it comes to ensuring Payment Card Industry Data Security Standards (PCI DSS) compliance, there can be a lot of moving parts. As a payment facilitator (PF), the PCI standards have an extensive impact on you and your business model.
The payment facilitator model is increasingly gaining in popularity and disrupting the payments space. A lot of buzz around a new model is exciting and creates opportunity for you to grow your business – but we all know the good guys aren’t the only ones reading the news. As new models emerge, it is important to recognize that bad actors are learning all they can – meaning that consumer card data security must be a part of any successful payment facilitator program.
So how can you successfully navigate the PCI landscape, as it relates to the PF model?
In this article, we’ll discuss the ins and outs of PCI DSS compliance as it relates specifically to payment facilitators – and provide you with helpful tips for navigating the world of PCI Compliance. We’ll talk about common PF pitfalls when it comes to compliance, PCI scope for payment facilitators, and PCI compliance keys to success for payment facilitators.
But let’s start off with the basics. What is compliance and why is it so important?
What is PCI?
To put it simply, the PCI DSS standards are there to protect cardholder data. Developed and maintained by the PCI DSS council (founded by five of the largest card brands: American Express, Discover, JCB, Mastercard, and Visa), the PCI standards are a collaborative effort within the payments industry to uphold and protect the integrity of the payments system to ensure security for cardholders.
This means any entity that stores, processes or transmits cardholder data is subject to compliance standards and requirements – including payment facilitators.
The ability to uphold transparent data security protocols that are deemed compliant with PCI is what ultimately protects you and your submerchants from data compromise and its associated costs – from both a financial and brand integrity perspective. Both can be material in nature when data breaches occur.
Common PCI Pitfalls
The most common mistake companies make when it comes to compliance is making the assumption that they are already PCI compliant because they’re using systems or applications assumed to be compliant. But that’s only part of the equation.
Believe it or not, the environment within which those systems operate is often times just as important as the applications themselves.
For example, if one of your submerchants uses a compliant software system for payment remittance but there are insufficient security protocols in place for who has access to the payment system at the merchant location, you (the PF) could be in compliance violation. Even if a system is compliant, unrestricted access can still result in unwanted data compromise. This is just one common pitfall that often goes overlooked.
One of the most proactive steps you can take as a PF is retaining the services of a certified QSA to help you establish and maintain a compliant environment for you and your submerchants. QSAs are certified by the PCI council to guide you along your compliance journey. They know the right questions to ask, the most common pitfalls, as well as the most effective and affordable protocols to get your business where it needs to be.
Most major credit card processors for payment facilitators require a yearly QSA assessment to ensure PFs are maintaining their PCI compliance. This yearly assessment allows PFs to make sure their ever-changing business is keeping up with compliance needs, ultimately minimizing their risks as a payment facilitator.
There are several security and compliance companies registered through the PCI SSC (Security Standards Council) that can pair you with a QSA that’s right for you. You can also find a list of approved companies here.
Scope it Out
When it comes to navigating PCI in the PF landscape, it’s important to know that as a PF there are two pieces to the puzzle. A PF is responsible for their own compliance and the compliance of their submerchants. In an effort to drill down on what this means, ControlScan (a leading security and compliance provider) SVP of Market Strategy, Chris Bucolo offered PFs some sage advice.
According to Bucolo, “it’s very clear that the PCI buck stops at the payment facilitator.”
“PCI scope” is a common phrase when it comes to successfully adhering to the PCI standards. Your PCI scope refers to the elements of your unique business environment (including people, systems, and technology) that directly or indirectly influence the security of the cardholder data you process.
This being the case, one of the most important things to consider early-on is the amount of control you want to have over the customer experience.
Many payment facilitators will outsource elements of the payments process to third-party vendors (like an e-commerce hosted solution) that enables a lower compliance scope, while others prefer to have more say in the user experience (such as the website and payments interface) to enable a more individualized or branded experience. And this will, in turn, increase their PCI scope.
According to Bucolo, it all comes down to two questions:
- Is it better for your business model to have the larger scope, consequently keeping more of the risk and resulting revenue while also enabling a more “individualized” user experience?
- Or, does outsourcing make more sense? It will mean less involvement and control over the process but also substantially smaller scope and lower risk.
Then there is the matter of what Bucolo refers to as residual scope.
Residual scope refers to any “leftover” risk that isn’t handled by the processor or the PF. In short, whatever is left for your submerchants to manage.
According to Bucolo, the “current aim of the PF model is to reduce the residual scope as much as possible – often with the use of technology.” The PF managing the hosting and processing for their submerchants is an ideal configuration to decrease residual scope, as it significantly reduces the amount of data touched by the sumberchant.
When submerchants can defer most of the work to technology and let the PF worry about the processes associated with the app or software interface, this is the safest model for the PF. Bucolo gives the example of a company that provides software to realty companies for the purpose of collecting homeowners’ association fees. Here, the customer pays their annual dues through an app interface that is managed by the PF and in turn, scope is reduced for the submerchant (in this case, the realty company).
Payment Facilitators’ 4 Keys to PCI Success
For a new payment facilitator, the role of PCI compliance in payments can feel like a complex and mystifying relationship. The key first step to operating compliantly and effectively is education. Learning what you and your submerchants are responsible for and why, will make the process easier from the beginning. There are online resources for PCI education and companies that can provide documents to give you the base knowledge needed. These documents will cover the basics of PCI compliance, as well as – what aspects of your business can increase and decrease PCI scope.
The PCI Security Standards Council’s website has a wealth of resources and documents for both payment facilitators and their submerchants.
Communication between a payment facilitator and their submerchants is the next key to success. Once the PF is educated on PCI compliance, they must pass on the education that is applicable to their submerchants. The submerchant must be mindful of what they are responsible for and why. The “why” is often the most challenging but also the most important. For both a PF and submerchant, knowing why the steps they are taking to protect cardholder data is important will give context and substance to the policies and procedures.
As a PF, clearly articulating the elements of PCI that apply to submerchants and maintaining an open dialogue about the subject helps to ensure compliance throughout the life of the submerchant. When a submerchant has a question or concern that relates to PCI compliance the PF wants to ensure that submerchant has a way to get that resolved.
3. Seek Expert Help
Due to the global growth of credit card payments and more companies around the world storing card data, there are many resources and vendors payment facilitators can leverage to ensure that they are staying PCI compliant. Companies like ControlScan and Very Good Security are providing innovative data storage solutions, allowing companies without a PCI or payments background to feel confident they are not putting their consumer’s data at risk.
The last key to success is repetition. Once the policies and procedures are in place, the next step is to ensure these become part of the normal business routine for both the PF and their submerchant. Repetition of compliant activities is essential to maintaining PCI compliance.
PCI Compliance Glossary – What Are All Those Acronyms?
PCI DSS compliance can leave you swimming in a sea of acronyms and make for a steep learning curve. In an effort to help you navigate the terminology of compliance and its related protocols, we touch on some of the most common ones here for your reference.
PCI DSS: PCI stands for the Payment Card Industry. DSS refers to Data Security Standard which are the standards, or protocols, employed by the PCI council to proactively uphold the integrity of the payments system.
PCI SSC: Comprised of the 5 major card brands (American Express, Discover, JCB, Mastercard, Visa), the Payment Card Industry Security Standards Council is tasked with the goal of maintaining the ongoing evolution of the PCI DSS.
QSA: A Qualified Security Assessor is a certified individual that meets specific information security education requirements and has taken the required training from the PCI council. They are individuals designated by the council to assist you in your compliance journey.
CFPB: The Consumer Financial Protection Bureau is an agency of the United States government responsible for consumer protection in the financial industry. They monitor banks, lenders and other financial companies to ensure a fair and just customer experience.
FTC: The Federal Trade Commission is an independent agency of the United States government whose mission is to protect both consumers and competition. They regulate the payments ecosystem by preventing anticompetitive, deceptive and unfair business practices.
finCEN: With a charge to safeguard the financial system from things like illicit use, terrorist financing and money laundering, the Financial Crimes Enforcement Network promotes national security by collecting and analyzing financial data to prevent financial crimes. They are a bureau of the United States Department of the Treasury that supports local, state, international and federal financial investigations.
KYC: A very popular acronym in the payments space lately, Know Your Customer refers to the process payment facilitators employ to verify their customers (or submerchants) in terms of identity, suitability and potential risk. From a PF perspective, the most recent KYC mandate to be aware of is the Beneficial Ownership Rule of 2018.
AML: The term Anti-Money Laundering refers to a system of checks and balances employed in both legal and financial industries to prevent, detect and report suspected money laundering activity. KYC is actually a form of AML, as well as Combating Financial Terrorism (CFT), which involves detecting and preventing sources of funding for activities intended to benefit organizations (political, religious, etc.) through the threat of violence.
BSA: Also known as the Currency and Foreign Transactions Reporting Act, the Bank Secrecy Act refers to a piece of legislation passed by the United States congress requiring U.S. financial institutions to collaborate with the U.S. government when money laundering and/or fraud are suspected.