It’s not only merchants that are affected by PCI DSS 4.0, but payment facilitators will also need to make changes to their cybersecurity protocols. Payments Facilitators (PayFacs) must follow the same procedures as companies to ensure that personally identifiable information (PII) is secure from breaches.
Consumers do want a faster and more seamless experience when using their debit or credit cards, but they also want assurance their personal information is safe. This includes everyone from the merchant to the facilitator that processes their payments. Some PayFacs will find it necessary to update their cybersecurity protocols, while others will learn that they’re already meeting PCI compliance 4.0.
In this guide, you’ll find out everything you need to know about how PCI DSS 4.0 affects payment facilitators along with what is required to meet compliance.
What Is a Payment Facilitator?
A payment facilitator is simply a third-party that processes credit and debit card payments for merchants. Commonly referred to as PFs, this is a sub-merchant that simplifies the enrollment process merchants go through to accept card payments.
Merchants no longer have to submit a request for an identification number (MID), instead, the third-party platform blankets the company under their own. An example of how PFs works for merchants is:
- The merchant submits a request for an account and several data points are collected, usually 7 to 8.
- The collected data points are reviewed and either approved or rejected by an underwriting tool. This step is done in real-time, so merchants will immediately see if they qualify.
- When the merchant is approved they will be under the sub-merchants MID.
While this does simplify the process a merchant goes through to be able to accept payments from bank or credit union issued cards, it also places responsibility on the facilitator.
Payments facilitators can be anyone from Stripe and Cube to PayPal, among others. However, there are risks for third-parties. If there is a security breach on their or a company’s end, both will be held responsible and subject to fines and penalties handed down by the security standards council (SSC).
There is a simple and cost-effective way to avoid non-compliance issues with third-party payment facilitators. It is also recommended by the PCI council. Companies that bring in a qualified security assessor (QSA) typically experience fewer cyber breaches on average. A QSA will know the right questions to ask payment facilitators to ensure that they are meeting all industry compliance standards. QSAs are also familiar with the cybersecurity protocols that are best suited to meet the business’s needs.
Payment facilitators do make it easier for merchants, but they also need to meet PCI 4.0 compliance standards to avoid penalties.
What PCI DSS 4.0 Means for Payment Facilitators
Technological innovations do simplify the payment process for merchants and consumers, but this also makes third-party processors vulnerable to security breaches. In response to changing technology, the SSC revised its compliance regulations for PCI DSS compliance.
Version 4.0 does allow new technologies that meet the SCC’s requirements to be implemented to protect PII. However, anyone that handles, manages, stores, or sends PII must meet all compliance standards.
The SSC stated in a press release:
“Our payment systems continue to become more software dependent with exponential ways we connect applications to other applications and the speed of transferring data. Yet consumers and businesses alike expect payment transactions to remain secure and demonstrate integrity.
The standards help reduce the friction of implementing payments software in this environment “by emphasizing an objective- outcome-based approach as part of the framework with an emphasis on exceptional security design and management practices to react more quickly to any potential vulnerability” Tony Leach, Chief PCI DSS Technology Officer.
This does give payment facilitators options on how they meet the new compliance guidelines outlined in PCI DSS 4.0.
Why Payment Facilitators Need to Be PCI DSS Compliant
PCI compliance can be a hassle. It can be time-consuming and expensive ensuring that all cybersecurity protocols are in place. However, credit card fraud remains a constant threat, and hackers are finding new vulnerabilities in payment systems every day. The Federal Trade Commission (FTC) 2018 consumer fraud report indicated that losses from credit card fraud were $131 million.
PCI DSS compliance regulations don’t only protect credit card companies from fraud, but also consumers. The required cybersecurity measures protect consumers’ PII from identity thieves. When people are making a purchase with their credit or debit card, they expect their information to remain private and secure.
Payment facilitators that experience breaches face the same risks and penalties as merchants and third-party vendors. Their company reputation can be ruined, which often results in loss of business and even employees. PCI compliance gives consumers proof that their data is secure and protects PFs from expensive fines and penalties.
What Is PCI DSS?
Before you can check for any potential non-compliance issues, you have to know what PCI DSS is. The simple explanation is that PCI DSS standards are designed to keep cardholder information secure. The standards are set by the security council founded by Mastercard, Visa, American Express, Discover, and JCB.
These are global cybersecurity standards that any business, regardless of size, must adhere to if they accept debit and/or credit cards. If you’re still not sure if PCI compliance applies to your company it does if:
- You’re a merchant that processes, stores, or transmits cardholder data.
- If you’re a credit-card-based payment facilitator.
It’s not uncommon for companies and PFs to treat PCI DSS compliance as an annual project. This is true. PCI audits are only required annually as long as there aren’t any breaches. If a cybersecurity breach does happen, an audit will be needed before compliance is reinstated.
However, the best practice is to regularly check for potential vulnerabilities across all systems and networks. Taking a proactive approach to cybersecurity will make it easier to stay in compliance.
PCI Compliance Mistakes to Avoid
A common mistake payment facilitators make is presuming that the systems and applications they’re using are compliant with PCI DSS 4.0 standards. This is only a part of meeting compliance regulations.
The environment that the tools operate to play an equal role in meeting and maintaining compliance standards.
One example of how you, as a payment facilitator, could be out of compliance is if the merchant doesn’t have adequate cybersecurity protocols implemented on their systems, networks, and/or applications. Even if you’ve met all the regulations on your end, you’ll still be out of compliance.
Another mistake is not paying attention to data access points. Access to data must be restricted and PCI DSS 4.0 is expected to require a two-step identification process. This will add another layer of protection around cardholder information. As a payment facilitator, this needs to be addressed regularly.
There are steps you can take to avoid these and other compliance mistakes. The first one is to hire a qualified security advisor (QSA) to create and maintain a secure environment. This would also refer to your sub-merchants.
The reason you might want to bring a QSA on board is simple. They are certified by the PCI council, the same governing body that creates the required cybersecurity standards. They know what questions to ask you and your employees that will allow them to avoid mistakes and create effective cybersecurity protocols.
What Is “PCI Scope”?
As a payment facilitator, you’re responsible for your and sub-merchants cybersecurity. Chris Bucolo, SVP of Market Strategy at ControlScan stated,
“It’s very clear that the PCI Buck stops at the payment facilitator.”
PCI compliant is the phrase used to refer to meeting all compliance standards. You have adequate cybersecurity protocols across all networks, systems, applications, and employee devices.
Not remembering to implement the same cybersecurity on personal devices and mobile networks will put all PII at risk. It is also a compliance violation. There are a couple of steps you can take to ensure that the phrase “PCI compliant” applies to you:
- Prevent data from being intercepted by hackers. PCI DSS 4.0 requires that cardholder data be encrypted when being sent or received from a mobile device.
- To protect PII that is being processed or stored on a mobile device, it should have the same cybersecurity protocols implemented as in-house. This includes employee personal devices if it is used to access the system.
These simple tips will help you get and stay in PCI compliance even as new technology is added or your business expands.
Four Tips to Help Payment Facilitators with PCI
Even if you’re familiar with previous versions of PCI DSS, there will be changes that go into effect in late 2020. To ensure that you’re prepared for the annual audit, here are four tips that will help you be successful.
New and long-time payment facilitators will benefit from learning about the PCI DSS compliance process. Knowing what standards you and your sub-merchants are responsible for implementing will make the process faster and easier.
You can find information from several resources that include those online and companies that specialize in cybersecurity, like RSI Security. Some of the best educational materials, including documents, are on the PCI DSS SSC’s website.
As a payment facilitator, you’re responsible for your sub-merchants. This means communication is vital. Once you’re familiar with PCI DSS, it’s important that you pass the knowledge to others who have access to the network.
It’s not only important for a sub-merchant to understand PCI DSS standards, but why the regulations are needed. Understanding why implementing the cybersecurity protocols are important will make it easier for payment facilitators and their sub-merchants to work together.
- Consult an Expert
Even though there is a cost associated with consulting or hiring an expert, usually a QSA, it is worth it. In the long run, it can even be less expensive than trying to implement and maintain the protocols necessary for compliance.
An expert will also be able to address any mistakes before they become compliance issues. They can also train employees on maintenance protocols.
- Repeat Protocols
Once the cybersecurity protocols are in place, you don’t want to wait to run a check until the annual audit. The key to maintaining PCI compliance is constantly checking for vulnerabilities. This includes all systems, applications, and devices. The policies and procedures for cybersecurity should become routine. This applies to the payment facilitator and sub-merchant.
PCI DSS 4.0 will affect payment facilitators by allowing them more freedom in how they protect new payment processing technology. This includes personal devices that still have access to the cardholder data environment. While this will allow PFs to grow, along with their sub-merchants, it also puts the burden of PCI compliance on the payment facilitator. It is their responsibility to ensure their sub-merchants are meeting PCI regulations.
Meeting industry cybersecurity standards can be expensive. Some payment facilitators may even experience an interruption in operations. However, not being in compliance can be financially devastating to a business. When it’s time to improve cybersecurity protocols there are experts that can help.
Are you ready to improve your security posture and handle possible gaps proactively? RSI Security is an Approved Scanning Vendor (ASV) and Qualified Security Assessor (QSA) company with extensive experience helping businesses become compliant with the PCI DSS framework. Contact RSI today for a free consultation.
Download Our PCI DSS Checklist
Assess where your organization currently stands with being PCI DSS compliant by completing this checklist. Upon filling out this brief form you will receive the checklist via email.