Learn about payments and the payment facilitator model from our team of experts
The Payment Facilitator Perspective: PCI Compliance
The Payment Facilitator Perspective: PCI Compliance
When it comes to ensuring Payment Card Industry Data Security Standards (PCI DSS) compliance, there can be a lot of moving parts. As a payment facilitator (PF), the PCI standards have an extensive impact on you and your business model.
So how can you successfully navigate the PCI landscape, as it relates to the PF model, in a manner that is both affordable and effective?
In this article, we’ll discuss the ins and outs of PCI DSS compliance as it relates specifically to payment facilitators – as well as provide you with helpful tips for navigating the world of PCI Compliance. We’ll talk about common PF pitfalls when it comes to compliance, why PFs are at risk, potential steps to take in order to avoid exploitation and PCI scope for payment facilitators.
But let’s start off with the basics. What is compliance and why is it so important?
What is PCI?
To put it simply, the PCI DSS standards are there to protect cardholder data. Developed and maintained by the PCI DSS council (founded by five of the largest card brands: American Express, Discover, JCB, Mastercard, and Visa), the PCI standards are a collaborative effort within the payments industry to uphold and protect the integrity of the payments system to ensure security for cardholders.
This means any entity that stores, processes or transmits cardholder data is subject to compliance standards and requirements – including payment facilitators.
The ability to uphold transparent data security protocols that are deemed compliant with PCI is what ultimately protects you and your submerchants from data compromise and its associated costs – from both a financial and brand integrity perspective. Both can be material in nature when data breaches occur.
Common PCI Pitfalls
The most common mistake companies make when it comes to compliance is running on the assumption that they are already in alignment with PCI requirements because they’re using systems or applications assumed to be compliant. But that’s only part of the equation.
Believe it or not, the environment within which those systems operate is often just as important as the applications themselves.
For example, if one of your submerchants uses a compliant software system for payment remittance but there are insufficient security protocols in place for who has access to the payments system at the merchant location, you (the PF) could be in compliance violation. Even if a system is compliant, unrestricted access can still result in unwanted data compromise and costly fees that you, as the PF, may be liable for. This is just one of many examples of common pitfalls that often go overlooked.
One of the most proactive steps you can take as a PF is retaining the services of a certified QSA to help you establish and maintain a compliant environment for you and your submerchants. QSAs are certified by the PCI council to guide you along your compliance journey. They know the right questions to ask, the most common pitfalls, as well as the most effective and affordable protocols to employ to get your business where it needs to be.
Most major credit card processors for payment facilitators require a yearly QSA assessment to ensure that the PFs are maintaining their PCI compliance. This yearly assessment allows PFs to make sure their ever-changing business is keeping up with compliance needs, a needed step to minimize risk as a payment facilitator.
There are several security and compliance companies registered through the PCI SSC (Security Standards Council) that can pair you with a QSA that’s right for you. You can also find a list of approved companies here.
Scope it Out
When it comes to navigating through PCI in the PF landscape, it’s important to know that as a PF there are two pieces to the puzzle. A PF is responsible for their own compliance and the compliance of their submerchants. In an effort to drill down on what this means, ControlScan (recently purchased by Global Solutions) a leading security and compliance provider and partner of Infinicept) SVP of Market Strategy Chris Bucolo offered PFs some sage advice.
According to Bucolo, “it’s very clear that the PCI buck stops at the payment facilitator.”
“PCI scope” is a common phrase when it comes to successfully adhering to the PCI standards. Your PCI scope refers to the elements of your unique business environment (including people, systems, and technology) that directly or indirectly influence the security of the cardholder data you process.
This being the case, one of the most important things to consider early-on is the amount of control you want to have over the customer experience.
Many payment facilitators will outsource elements of the payments process to third-party vendors (like an ecommerce hosted solution) that enables a lower compliance scope for the PF, while others prefer to have more say in the user experience (such as the website and payments interface) to enable a more individualized or branded experience. And this will, in turn, increase their PCI scope.
According to Bucolo, it all comes down to two questions:
- Is it better for your business model to have the larger scope, consequently keeping more of the risk and resulting revenue while also enabling a more “individualized” user experience?
- Or, does outsourcing make more sense? It will mean less involvement and control over the process but also substantially smaller scope and lower risk.
Then there is the matter of what Bucolo refers to as residual scope.
Residual scope refers to any “leftover” risk that isn’t handled by the processor or the PF. In short, whatever is left for your submerchants to manage.
According to Bucolo, the “current aim of the PF model is to reduce the residual scope as much as possible – often with the use of technology.” An ideal scenario in this model will have you (the PF) managing the hosting and processing for your submerchants, therefore significantly reducing their scope as they will be touching very little of the data.
When the submerchants can defer most of the work to technology and let the PF worry about the processes associated with the app or software interface, this is the safest model for the PF. Bucolo gives the example of a company that provides software to realty companies for the purpose of collecting homeowners’ association fees. Here, the customer pays their annual dues through an app interface that is managed by the PF and this reduces the scope for the submerchant (in this case, the realty company).
Why Are PFs at Risk?
Anyone who processes, stores or transmits card data is at risk. Since all transaction data for a payment facilitator’s submerchants is stored within the PF’s payment infrastructure, this means that they are responsible for keeping this information secure.
When it comes to PCI risk and the PF landscape, it’s ultimately dictated by the amount of vigilance you employ around your submerchants.
Due to many PFs having a large number of submerchants that are onboarded under their system, this increases the PCI scope. On top of that, many of these merchants are smaller or micro merchants who have never needed to focus on PCI compliance in the past. If both the PF and submerchants are not careful they can leave an opportunity for bad actors to infiltrate the system.
The payment facilitator model is increasingly gaining in popularity and becoming a disruptor in the payments space. This means there is a lot of buzz and news coming out around this topic. Just as more and more people in the software and payments industry are learning about the model, more and more bad actors are learning about it as well and strategizing how to take advantage.
Given this shift and disruption of the payment industry, many of the companies adopting the payment facilitator model are not traditional payment companies. This likely puts them at greater risk as payments and PCI compliance are not core competencies of many of these businesses. They are also not as familiar with the risks associated and the processes required to mitigate this risk. It is always recommended that companies looking to become payment facilitators speak with someone well versed in the PCI landscape.
Due to the global growth of credit card payments and more companies around the world storing card data, there are many resources and vendors payment facilitators can utilize to ensure that they are staying PCI compliant. Companies like ControlScan and Very Good Security are providing innovative data storage solutions, allowing companies without a PCI or payments background to feel confident they are not putting their consumer’s data at risk.
Payment Facilitator’s Keys to PCI Success
For a new payment facilitator, PCI compliance and how it fits together with payments can feel like a complex and mystifying relationship. The key first step to operating compliantly and effectively is education. Learning what the payment facilitator and their submerchants are responsible for and why, will make the process easier from the beginning. There are online resources for PCI education and companies that can provide documents to give you the base knowledge needed. These documents will cover the basics of PCI compliance, as well as, what aspects of your business can both increase and decrease PCI scope as a PF.
The PCI Security Standards Council’s website has a wealth of resources, with a host of documents for both payment facilitators and their submerchants.
Communication between a payment facilitator and their submerchants is the next key to success. Once the PF is educated on PCI compliance they must pass on the education that is applicable to their submerchants. The submerchant must be mindful of what they are responsible for and why. The “why” is often the most challenging but also the most important. For both a PF and submerchant, knowing why the steps they are taking to protect cardholder data is important will give context and substance to the policies and procedures.
As a PF, clearly articulating the elements of PCI that apply to their submerchants then maintaining an open dialogue about the subject helps to ensure compliance throughout the life of the submerchant. When a submerchant has a question or concern that relates to PCI compliance the PF wants to ensure that submerchant has a way to get that resolved.
The last key to success is repetition. Once the policies and procedures are in place, the next step is to ensure these become part of the normal business routine for both the PF and their submerchant. Repetition of compliant activities is pivotal to maintaining PCI compliance.
The Big Picture
PCI compliance, from a big picture perspective, is more of a journey than a destination. It requires time, attention and consistent vigilance around your PCI scope and compliance protocols to both establish and maintain a secure environment for you and your submerchants.
But it’s not a journey you have to embark on alone. Hiring a competent QSA and establishing a relationship with a PCI-certified security and compliance provider as well as an effective submerchant oversight program, can ensure a more effective and enjoyable experience when it comes to creating a compliant environment you and your submerchants can thrive in.
PCI Compliance Glossary – What Are All Those Acronyms?
PCI DSS compliance can leave you swimming in a sea of acronyms and make for a very challenging learning curve. To help you navigate through the terminology of compliance and its related protocols, we touch on some of the most common ones here for your reference.
PCI DSS: PCI stands for the Payment Card Industry. DSS refers to Data Security Standard which are the standards, or protocols, employed by the PCI council to proactively uphold the integrity of the payments system.
PCI SSC: Comprised of the 5 major card brands (American Express, Discover, JCB, Mastercard, Visa), the Payment Card Industry Security Standards Council is tasked with the goal of maintaining the ongoing evolution of the PCI DSS.
QSA: A Qualified Security Assessor is a certified individual that meets specific information security education requirements and has taken the required training from the PCI council. They are individuals designated by the council to assist you in your compliance journey.
CFPB: The Consumer Financial Protection Bureau is an agency of the United States government responsible for consumer protection in the financial industry. They monitor banks, lenders and other financial companies to ensure a fair and just customer experience.
FTC: The Federal Trade Commission is an independent agency of the United States government whose mission is to protect both consumers and competition. They regulate the payments ecosystem by preventing anticompetitive, deceptive and unfair business practices.
finCEN: With a charge to safeguard the financial system from things like illicit use, terrorist financing and money laundering, the Financial Crimes Enforcement Network promotes national security by collecting and analyzing financial data to prevent financial crimes. They are a bureau of the United States Department of the Treasury that supports local, state, international and federal financial investigations.
KYC: A very popular acronym in the payments space lately, Know Your Customer refers to the process payment facilitators employ to verify their customers (or submerchants) in terms of identity, suitability and potential risk.
AML: The term Anti-Money Laundering refers to a system of checks and balances employed in both legal and financial industries to prevent, detect and report suspected money laundering activity. KYC is actually a form of AML, as well as Combating Financial Terrorism (CFT), which involves detecting and preventing sources of funding for activities intended to benefit organizations (political, religious, etc.) through the threat of violence.
BSA: Also known as the Currency and Foreign Transactions Reporting Act, the Bank Secrecy Act refers to a piece of legislation passed by the United States congress requiring U.S. financial institutions to collaborate with the U.S. government when money laundering and/or fraud are suspected.
About the author: Deana Rich is a highly respected payments industry professional with unparalleled risk, operations, and compliance experience. In 2004 she founded Deana Rich Consulting, Inc, providing strategic risk management services to the payments industry. The company helped clients understand their risk tolerances, recognize their vulnerabilities, initiate effective procedures to manage exposures and implement the right risk policies, processes, and systems. In 2014 Deana Co-founded Infinicept – combining her consulting experience with SaaS based software that allows clients to get payments going their way.