Each payment facilitator’s PCI risk is unique.
Once an obscure processing model for special situations, the business of payment facilitation is now burgeoning. There are many benefits to becoming a payment facilitator, including increased control over the user experience. Unfortunately, the same qualities that serve as benefits often raise the payment facilitator’s PCI risk.
Payment facilitators are typically supporting merchants with low sales volumes and/or specialized needs. These businesses don’t normally have someone with deep knowledge in payments or data security—in fact, it’s often initially just a few people running the whole show. That’s a lot of risk to accept, if you think about it, because the payment facilitator is on the hook for any one of these businesses that has a credit card data breach.
But wait… there’s more. Because the payment facilitator business itself handles credit card data, it too is subject to compliance with the Payment Card Industry Data Security Standard (PCI DSS). Hence more PCI risk. And, that level of risk is unique based on the way the business processes payments.
Tip #1: Invest in some PCI QSA advisory hours.
If you’re thinking of becoming a payment facilitator—or even if you’ve been in the PayFac business for a year or two—investing in some advisory hours with a PCI Qualified Security Assessor (QSA) is a wise first step in PCI risk management. QSAs provide expert guidance on how your technology and processes adhere to the PCI DSS, as well as how to reduce your business’s scope of compliance.
Early consultation with a QSA can make a huge difference in your business’s ability to cost-effectively reduce risk in compliance with the PCI DSS. Best of all, the earlier you start, the more you save.
Tip #2: Assist merchants with their own PCI compliance.
Visa is crystal clear in its expectations of each player within the payment processing ecosystem. When it comes to payment facilitators, Visa expects full enforcement of all rules and operating regulations, including those involving the PCI DSS. It is your responsibility to ensure that your merchants are PCI compliant—and trust me, they will need your assistance.
The good news is that we’ve seen PCI requirements applying to merchants reduced by as much as 50% to 90% when security and compliance are addressed up front, rather than being swept under the rug. Most merchants want to do the right thing, they just need to be shown how.
Tip #3: Maintain relationships with trusted advisors.
You’ve got a business to run and while risk management is a part of it, it shouldn’t occupy the top of your personal priority list. The payments industry is filled with niche expertise on every facet of the process. Over the years, I’ve built relationships with people I consider my “trusted advisors”—people who can be counted on for their insight and connectivity.
Payment facilitators will benefit immensely from trusted-advisor relationships in the payments space, especially on the topics of security and compliance. If you’re looking for some guidance, my colleagues and I would be happy to help.