HealPay On How SaaS, Payments Orchestration Providers Help Meet PCI Compliance

Complying with PCI standards is non-negotiable, but staying in compliance is both costly and time-consuming. In this month’s Payments Orchestration Playbook, Lance Carlson, chief operating officer of SaaS provider HealPay, explains how data vaulting and tokenization help merchants take the pain out of PCI compliance.

Keeping customers’ digital payment data safe and secure is a critical part of doing business in the digital economy, and following Payment Card Industry (PCI) compliance guidelines is an effective way for firms to accomplish this.

Most companies are aware of PCI standards but many are still in the dark about what is required and how to fulfill the requirements without placing undue pressure on their own finances.

This issue looms larger than ever during the pandemic. Many businesses have been forced to go online or shutter their doors in the wake of reduced brick-and-mortar foot traffic. The droves of new businesses entering the digital space have been left wondering how to make their digital payments compliant as a result, and this lack of clarity is one of the biggest problems merchants face.

“The friction is mainly education,” said Lance Carlson, co-founder and chief operating officer for payment services software provider HealPay. “… The risk [is] that [businesses] don’t realize what they’re taking on by not actually going through the required steps to make sure that they are being PCI-compliant and that they are doing safe things with their data. … They can’t just get charged the PCI noncompliance fee and be OK with that.”

PCI noncompliance can result in merchants having to pay hefty legal fees if customers’ sensitive personal information is exposed in a data breach. Carlson explained in an interview with PYMNTS how using payments orchestration providers (POPs) for data vaulting and tokenization can help companies keep their customers’ sensitive card data safe from fraud without breaking the bank.

Getting Up to Speed on Compliance

The cost of ensuring and maintaining compliance is a common hurdle for merchants. Firms looking to verify that their operations follow PCI requirements must pay not only to have their businesses audited but also to bring them up to speed if they do not.

This can be particularly burdensome for smaller firms. Small businesses often lack the resources for either compliance audits or building and maintaining their own in-house compliance teams, according to Carlson. Firms below a certain size can outsource these operations to third-party providers specializing in compliance, however, so that they can be free to focus time and resources on their own core competencies. Software-as-a-Service (SaaS) providers offer digital solutions that can help merchants ensure that their card transactions are up to PCI standards. Carlson pointed to HealPay’s over-the-phone card payment compliance offerings as an example.

“HealPay’s products allow agents to answer [a customer’s call] … and negotiate settlement offers, or whatever needs to be done, and then, from there, they can forward the [consumer] to the automated payment system, which is not recorded, and then that information can be sent in a PCI-compliant way to our payment services directly,” Carlson explained.

This eliminates the chance that customers’ card data might be stolen and used by the human agents with whom they speak over the phone.

SaaS providers such as HealPay can also help firms encrypt card transactions processed on their websites so they meet PCI compliance standards — an action that is growing more important as the pandemic progresses. Consumers have shifted to buying more online during the health crisis, and many merchants have responded by adopting digital payment capabilities for the first time. This has led to a sharp increase in the number of merchants seeking third-party assistance to meet PCI compliance.

“[Merchants] that were completely in the Stone Age and had no great way [for consumers to pay] online … were urgently trying to figure out a way to get up and running with online payments,” Carlson said.

Sharing the Compliance Burden

Another way third-party providers can add value to merchants’ compliance operations is by eliminating the risk businesses take when storing their customers’ data in-house. Some firms may even be unaware of this risk.

“People don’t actually realize that you need to get insured to hold sensitive data, and if you can’t afford the insurance, you need to be pushing [the data] as far through your system — and not [holding it] in your hands — as possible,” Carlson explained.

Storage of sensitive customer data can be prohibitively expensive to businesses of any size, however.

“[Even] larger merchants that are trying to hold their own credit card data, I think it’s suicide,” he said.

This risk creates a dire need for most businesses — including HealPay — to find alternative means of storing their customers’ card information.

Neutral third-party POPs, such as Spreedly, can store merchants’ business-critical data for them, eliminating their need to obtain insurance to hold that data and reducing their compliance burden. POPs store card information in their own data vaults and tokenize that data whenever it needs to be extracted for a transaction. Carlson likened the practice to a game of hot potato.

“You, [as a consumer], can log in through that medium, put in your card information or bank account information and know that it’s being encrypted and we saved your password [and] your credit card information through Spreedly because we don’t want to hold on to that information either,” he said.

Payment information is sent down the line until it reaches the POP, where it is stored in a secure, PCI-compliant fashion. Relying on third parties to store this data also makes the auditing process easier. With customers’ data stored in a third-party data vault, payments service providers need only act as intermediaries to transmit data from that vault to their own merchants, reducing the scope of their operations needing examination during compliance audits.

“The only thing that we [at HealPay] have to think about when we audit our internal systems in sending the data to Spreedly is to make sure that we’re doing it obviously in an encrypted fashion, that we have all of our networks properly configured,” Carlson explained.

Merchants’ risks of falling short on compliance requirements will continue to mount, along with the pressure to meet their customers’ demands for eCommerce experiences. Payments orchestration can be a useful tool for businesses looking to reduce their compliance burdens while ensuring their customers’ data security.