There’s always a certain level when you’re running a business. That’s just the name of the game. But when you accept credit card payments from your customers, you’re assuming quite a bit more.
Now, you run the risk of fraudulent charges, returns, cancellations, identity theft, disputes, etc. That’s why it’s crucial to meet the current standards and regulations for PCI compliance when you accept this form of payment.
As governments look for more ways to reduce costs, electronic payments have become an economical method of purchase. Using credit or debit cards reduces the time it takes to receive funds, is less error-prone and makes it easier for residents to pay.
Any agency that stores, processes or transmits card data must comply with the Payment Card Industry Data Security Standard. This standard consists of 12 broad requirements in addition to over 200 line-item requirements. A full list of the requirements can be found at the PCI Security Council Standards website.
What is PCI Compliance?
The PCI Security Standards Council is a global organization that “maintains, evolves, and promotes Payment Card Industry standards for the safety of cardholder data across the globe.”
Their focus is to help merchants and financial institutions implement the current standards for security policies to ensure the safety of both your business and your customers.
If you choose to employ the services of a payment processor, it’s essential to keep security and compliance in mind when making that ever-crucial decision.
For those agencies that don’t meet the PCI requirements, the card brands may levy penalties, revoke services or even suspend their accounts. In the event cardholder data is compromised, agencies may suffer the financial loss, be responsible for having cards reissued as well as for future detection and prevention services required by the card associations. Agencies may be fined by the card associations based on the quantity of numbers stolen, and they may see increased transaction fees in the future.
Up-to-date PCI compliance can prevent these repercussions.
Merchants or agencies with less than 6 million transactions per year (levels 2, 3, and 4) must complete the PCI self-assessment questionnaire along with an attestation of compliance. After completion, the merchant’s acquiring bank must receive the results and documentation.
Level 1 – agencies with over 6 million transactions in the past year — must submit to an annual on-site audit by a qualified security assessor that has passed the PCI Internal Security Assessment Training Program.
If a level 2, 3, or 4 agency has a breach where card data is compromised, it may be assigned level 1 validation and be subject to higher scrutiny in the future.
3 Reasons You Need Your Payment Processor to be PCI Compliant
A breach in security is always the most terrifying because it can end with an expensive settlement that could cost your company a lot of money.
According to Verizon’s PCI-DSS Compliance Report, over ten years, none of the companies they investigated had maintained compliance at the time they were breached. For example, Home Depot had a malware breach that affected 56 million payment cards. The company ended up paying a $19.5 million data breach settlement.
This is a significant blow to huge companies, but a lethal one to smaller businesses that are just starting out.
Education is the goal of the PCI Security Standards Council. They want businesses to understand the importance of staying up to date with the latest security protocols. Likewise, you can instill the same sense of trust by educating your own customers and “showing-off,” so to speak, your PCI-DSS compliance.
If you’ve ever done business with a company that’s had a data breach, you’ve probably felt the immediate impulse to drop them entirely and make the switch to their competition. Most people share the sentiment, and these companies see a radical drop in business when the news gets out.
Okay, so this one is more of a sell, but partnering with the right payment processor makes staying compliant easy. For example, BillingTree works hard to ensure we maintain modern PCI-DSS compliance so you can focus on the things that truly matter to your business.
What you should do to implement and sustain PCI compliance
Card network regulations
In order to accept card payments online, you must abide by card network regulations. These card-not-present scenarios involve extra layers of security that authenticate users and ensure the payment instruments are used righteously and by their intended owners.
To ensure security throughout their network, Visa, Mastercard and American Express request that processors and merchant employ tactics like:
- Requesting information on the parties involved in the payment: cardholder name, number, email address, and three-letter CVS code on the card
- Using additional verification tools, such as Address Verification Service
- Monitoring their order details and state of transactions
- Card networks are periodically updating and enhancing their policies in place, in an effort to keep the online payment landscape safe. As a merchant, you need to stay on top of updates to ensure your store’s compliance – a professional payment processor can outsource a lot of the work to guarantee your ongoing compliance.
Payment card breaches are a serious threat that you can and should manage. As patients increasingly utilize credit and debit cards to pay for their healthcare payments, you must stay on top of PCI compliance. Ensuring your payment processing solutions are PCI compliant will help you mitigate the risk of a breach and keep your patients’ data safe and secure, just as you protect their PHI.
PCI is Not Just an “IT Problem”
One of the challenges with PCI compliance is the myth that it is strictly an IT problem. Since a major part of compliance has to do with network security, it clearly falls under the umbrella of technology. The reality though is that attackers are more likely to find inroads to an agency’s sensitive card data through non-technical methods and people. Employees working with card payment systems must be trained on how their job role ensures within PCI compliance.
Agencies should shore up their PCI compliance before the end of the fiscal year. PCI compliance is not a once-and-done project, however. It requires agencies to meet all of the guidelines each year to maintain compliance.
Know Your Customer Processes
Know Your Customer (or KYC) is a process which have been around for over twenty years, used by businesses to verify the identity of their customers, especially online, through Customer Identification Programs (CIP). As online payment regulations go, KYC is not enforced by one authority, but rather takes on different forms as set by banks, government agencies, or industry bodies. One example of a KYC regulation was launched in the US, in 2018, by the Financial Crimes Enforcement Network (FinCEN), setting in effect the Customer Due Diligence requirements for Financial Institutions (CDD) rule.
AML laws and regulations target criminal activities including market manipulation, trade in illegal goods, corruption of public funds, and tax evasion, as well as the methods used to conceal these crimes and the money derived from them. They are intended to prevent criminals from disguising illegally obtained funds as legitimate income.
NACHA Operating Rules
All transactions made through the Automated Clearing House (ACH) are subject to NACHA operating rules. NACHA is the association of stakeholders who govern the smooth and secure running of payments made through ACH, by setting roles, responsibilities, and obligations for financial institutions who transact this payment method.
NACHA rules are continuously updating, so merchants who accept ACH payments need to ensure they follow the latest regulations. Some of the most recent NACHA updates from 2020 include:
- The per-day transaction dollar limit for same-day ACH transactions was increased to $100,000 from $25,000 per transaction, effective since March, 2020.
- Better differentiation for unauthorized return reasons, with the introduction of new reason return codes, effective since April, 2020.
- Additional data security requirements, for non-financial institution originators to encrypt deposit account information, when stored electronically, effective since June, 2020.
Payment Service Directive 2 (PSD2) requirements
The role of PSD2 regulation is to guarantee the security of online card payments made in the EU. This happens by the mandatory enforcing Strong Customer Authentication (SCA) mechanism for online transactions made with debit or credit cards.
Merchants who want to accept online payments from European shoppers need to meet SCA requirements, by integrating at least two of the following authentication mechanisms:
- Knowledge – something the customer knows, such as a password or a PIN.
- Ownership – something the customer has, for example a token or a mobile device
- Identity – something the customer is, for example their fingerprint or face recognition
These regulations are a must for all customer-initiated transaction that happen in Europe, and they cover online payments and bank transfers.
The most widely employed protocol for enforcing PSD2 is 3D Secure-2. 3DS-2 aims to create frictionless authentication for payments by running a more thorough risk analysis on transaction data points, while authenticating a payment.
Some notable exemptions from the Strong Customer Authentication mechanism include:
- Low volume transactions, under €30. If the online payment transaction value is lower than this amount, then the transaction is exempt from SCA verification. However, if a specific customer has had five previous transactions without SCA verification, or if the sum of recent transactions without a SCA challenge has reached €100, then the sixth transaction or the next one in line will have to undergo SCA verification by default.
- Fixed-amount subscriptions. In case of subscriptions which incur a fixed price for each billing interval, then only the first transaction must be SCA verified, and subsequent ones are exempt.
- Merchant-initiated transactions. Some cases, when the merchant has the card on file and initiates the transaction, are exempt from the SCA challenge. These are called use cases where the issuer decides on the application of the exemption. This may apply to recurring subscriptions (even of variable amounts, such as in pay-per-use models) or to buy-now, pay-later models, but even in these cases the card has to be authenticated either when it is stored or during the first payment.
Beyond online payment regulations that provide for how user or payment data should be authenticated, stored, and processed, merchants need to follow each of their market’s tax regulations. If you’re selling cross border, chances are you will have to pay taxes, either in the form of Value Added Tax (VAT) or sales tax (sometimes known as GST).
The rules and regulations of when these taxes are collected and how they should be shown on a business’ site vary from country to country – and even from state to state within a country! – so merchants need to allot considerable effort to attaining fiscal compliance in all markets. Usually, a professional payment processing partner can offload a lot of this compliance effort through its automated systems.
Accepting online payments may seem like the most effortless action from the outside, but this piece has shown us that merchants actually go through a lot of hurdles and compliance work in order to sell globally.
The more markets a merchant targets, the more complexity that comes with online payment regulations. With the right payment provider, however, merchants are able to outsource a lot of this regulatory work to a seasoned partner.