Complying with PCI standards is non-negotiable, but staying in compliance is both costly and time-consuming. In this monthās Payments Orchestration Playbook, Lance Carlson, chief operating officer of SaaS provider HealPay, explains how data vaulting and tokenization help merchants take the pain out of PCI compliance.
Keeping customers’ digital payment data safe and secure is a critical part of doing business in the digital economy, and following Payment Card Industry (PCI) compliance guidelines is an effective way for firms to accomplish this.
Most companies are aware of PCI standards but many are still in the dark about what is required and how to fulfill the requirements without placing undue pressure on their own finances.
This issue looms larger than ever during the pandemic. Many businesses have been forced to go online or shutter their doors in the wake of reduced brick-and-mortar foot traffic. The droves of new businesses entering the digital space have been left wondering how to make their digital payments compliant as a result, and this lack of clarity is one of the biggest problems merchants face.
āThe friction is mainly education,ā said Lance Carlson, co-founder and chief operating officer for payment services software provider HealPay. ā… The risk [is] that [businesses] donāt realize what theyāre taking on by not actually going through the required steps to make sure that they are being PCI-compliant and that they are doing safe things with their data. … They canāt just get charged the PCI noncompliance fee and be OK with that.ā
PCI noncompliance can result in merchants having to pay hefty legal fees if customersā sensitive personal information is exposed in a data breach. Carlson explained in an interview with PYMNTS how using payments orchestration providers (POPs) for data vaulting and tokenization can help companies keep their customersā sensitive card data safe from fraud without breaking the bank.
Getting Up to Speed on Compliance
The cost of ensuring and maintaining compliance is a common hurdle for merchants. Firms looking to verify that their operations follow PCI requirements must pay not only to have their businesses audited but also to bring them up to speed if they do not.
This can be particularly burdensome for smaller firms. Small businesses often lack the resources for either compliance audits or building and maintaining their own in-house compliance teams, according to Carlson. Firms below a certain size can outsource these operations to third-party providers specializing in compliance, however, so that they can be free to focus time and resources on their own core competencies. Software-as-a-Service (SaaS) providers offer digital solutions that can help merchants ensure that their card transactions are up to PCI standards. Carlson pointed to HealPayās over-the-phone card payment compliance offerings as an example.
āHealPayās products allow agents to answer [a customerās call] … and negotiate settlement offers, or whatever needs to be done, and then, from there, they can forward the [consumer] to the automated payment system, which is not recorded, and then that information can be sent in a PCI-compliant way to our payment services directly,ā Carlson explained.
This eliminates the chance that customersā card data might be stolen and used by the human agents with whom they speak over the phone.
SaaS providers such as HealPay can also help firms encrypt card transactions processed on their websites so they meet PCI compliance standards ā an action that is growing more important as the pandemic progresses. Consumers have shifted to buying more online during the health crisis, and many merchants have responded by adopting digital payment capabilities for the first time. This has led to a sharp increase in the number of merchants seeking third-party assistance to meet PCI compliance.
ā[Merchants] that were completely in the Stone Age and had no great way [for consumers to pay] online … were urgently trying to figure out a way to get up and running with online payments,ā Carlson said.
Sharing the Compliance Burden
Another way third-party providers can add value to merchantsā compliance operations is by eliminating the risk businesses take when storing their customersā data in-house. Some firms may even be unaware of this risk.
āPeople donāt actually realize that you need to get insured to hold sensitive data, and if you canāt afford the insurance, you need to be pushing [the data] as far through your system ā and not [holding it] in your hands ā as possible,ā Carlson explained.
Storage of sensitive customer data can be prohibitively expensive to businesses of any size, however.
ā[Even] larger merchants that are trying to hold their own credit card data, I think itās suicide,ā he said.
This risk creates a dire need for most businesses ā including HealPay ā to find alternative means of storing their customersā card information.
Neutral third-party POPs, such as Spreedly, can store merchantsā business-critical data for them, eliminating their need to obtain insurance to hold that data and reducing their compliance burden. POPs store card information in their own data vaults and tokenize that data whenever it needs to be extracted for a transaction. Carlson likened the practice to a game of hot potato.
āYou, [as a consumer], can log in through that medium, put in your card information or bank account information and know that itās being encrypted and we saved your password [and] your credit card information through Spreedly because we donāt want to hold on to that information either,ā he said.
Payment information is sent down the line until it reaches the POP, where it is stored in a secure, PCI-compliant fashion. Relying on third parties to store this data also makes the auditing process easier. With customersā data stored in a third-party data vault, payments service providers need only act as intermediaries to transmit data from that vault to their own merchants, reducing the scope of their operations needing examination during compliance audits.
āThe only thing that we [at HealPay] have to think about when we audit our internal systems in sending the data to Spreedly is to make sure that weāre doing it obviously in an encrypted fashion, that we have all of our networks properly configured,ā Carlson explained.
Merchantsā risks of falling short on compliance requirements will continue to mount, along with the pressure to meet their customersā demands for eCommerce experiences. Payments orchestration can be a useful tool for businesses looking to reduce their compliance burdens while ensuring their customersā data security.