{"id":4219,"date":"2018-09-12T17:05:04","date_gmt":"2018-09-12T17:05:04","guid":{"rendered":"https:\/\/www.paymentfacilitator.com\/?p=4219"},"modified":"2021-06-29T13:29:45","modified_gmt":"2021-06-29T13:29:45","slug":"pci-and-payment-facilitation-what-are-pfs-responsible-for","status":"publish","type":"post","link":"http:\/\/infinicept.com\/payment-facilitator\/learn\/get-started\/pci-and-payment-facilitation-what-are-pfs-responsible-for\/","title":{"rendered":"PCI and Payment Facilitation: What are PFs Responsible For?"},"content":{"rendered":"

Companies that choose to integrate payments into their B2B software offerings must consider risk from a number of perspectives. The world of risk management and compliance is filled with acronyms associated with securing the payments ecosystem: BSA, KYC and AML, just to name a few. <\/strong><\/p>\n

The acronym list would not be complete without mentioning a fundamental area of concern for anyone associated with payments data: PCI. This week, we report on some of the issues and decision points behind payment facilitators\u2019 relationship with the industry data security standard. <\/strong><\/p>\n

 <\/p>\n

What is PCI?<\/strong><\/p>\n

The Payment Card Industry Data Security Standard (PCI DSS), often referred to simply as PCI, is a critical component of the card brands\u2019 data security programs. The standard provides payment security guidelines<\/a> for organizations that store, process or transmit cardholder data.<\/p>\n

PCI is the result of an important industry collaboration that protects the integrity of the payments system. The standard was developed and is maintained by the PCI Security Standards Council, which was founded by all five card networks (American Express, Discover Financial Services, JCB International, MasterCard, and Visa). Participation in the Council is open to representatives from all sectors of the payments industry.<\/p>\n

Why should SaaS companies care?<\/strong><\/p>\n

PCI is at the heart of what the decision to handle payments requires \u2013 a commitment to investing the resources needed to protect the payments ecosystem at every entry point.<\/p>\n

That applies to merchants and their services providers alike, creating two distinct issues for payment facilitators, according to Chris Bucolo, VP of market strategy for ControlScan<\/a>. PFs are responsible for their own PCI compliance. But they are also responsible to make sure that their submerchants comply with the PCI standards.<\/p>\n

\u201cIt\u2019s very clear that the PCI buck stops at the payment facilitator,\u201d Bucolo said.<\/p>\n

To be deemed compliant with PCI, businesses must first undertake assessments to determine where their security vulnerabilities might be. Then they must take steps to mitigate those vulnerabilities and submit regular reports. Compliance is enforced by card networks and acquiring banks.<\/p>\n

PCI, partnerships and scope<\/strong><\/p>\n

Key to any conversation about PCI compliance is an understanding of scope. PCI scope refers to the elements of a business\u2019s environment \u2013 the people, systems or technology \u2013 that touch the cardholder data.<\/p>\n

According to Bucolo, the issues of PCI scope and compliance are a fundamental factor behind the ultimate structure of the business, making early conversations a necessity.<\/p>\n

As is so often the case, businesses that are considering becoming payment facilitators must weigh the user experience they are looking to provide their customers \u2013 and the subsequent desire for control over that experience \u2013 against the benefits of outsourcing parts of their business in a way that reduces their PCI compliance burden when deciding how to structure their business model.<\/p>\n

\u201cIf the PF feels that they don\u2019t want to fully outsource an ecommerce hosted solution, for example, and they want control over the web site and what the customer sees to provide an experience that only they can provide, their scope will be larger,\u201d he said.<\/p>\n

\u201cSo you have to make that decision \u2013 is it better for your business model to have the larger scope and keep more of the risk and subsequent costs? Or does it make sense to outsource more and have a little bit less involvement and control over the process, but have a smaller scope and lower risk?\u201d he asked.<\/p>\n

Reducing residual scope<\/strong><\/p>\n

While PFs have to concern themselves with PCI compliance both for themselves and for their submerchants, the two are very much interrelated, Bucolo said.<\/p>\n

\u201cWhatever risk isn\u2019t handled by the processor and isn\u2019t handled by the payment facilitator is left over for the merchant to handle,\u201d he said.<\/p>\n

Bucolo calls that \u201cleftover\u201d responsibility residual scope<\/em>. And the current aim of the payment facilitator model is often to reduce that residual scope as much as possible, often with the use of technology. If a payment facilitator is managing hosting and processing for the submerchant \u2013 who as a result is touching very little data \u2013 the submerchant\u2019s scope will typically be small, he said.<\/p>\n

\u201cOften, it\u2019s a situation where the merchant has some ability to use an application but they\u2019re not doing much else. They\u2019re still subject to PCI, but the scope of what they\u2019re responsible for may be very limited. That\u2019s what many payment facilitators are driving toward,\u201d Bucolo said.<\/p>\n

Bucolo gives the example of a company that provides software to realty companies to collect homeowners\u2019 association payments. In this example, the consumer pays their fees through an app, which is managed by the payment facilitator or their partner. That type of structure limits the scope for the submerchant \u2013 in this case, the realty company.<\/p>\n

\u201cThe submerchant can let the technology or the app do most of the work and let the payment facilitator \u2013 and whoever they\u2019re relying on for backroom assistance \u2013 worry about the processes associated with that app. So they typically should just have a limited number of things to be concerned with,\u201d Bucolo said.<\/p>\n

Learn more about PCI compliance from <\/em>Chris Bucolo<\/em><\/a> at PF WORLD 2018 on Sept. 25 in New York City.<\/em><\/p>\n

PF WORLD 2018 is the first-ever standalone event focused exclusively on the payment facilitator ecosystem. It\u2019s designed to tackle the challenges unique to payment facilitators head-on and provide the chance to network directly with the top names in the industry.<\/em><\/p>\n

Seats are limited and going fast for this special event, so save your space by <\/em>registering now<\/em><\/a>.<\/em><\/p>\n

 <\/p>\n

 <\/p>\n

Payment facilitators always need to consult with their acquirers and attorneys or other advisers for detailed advice particular to their situations.<\/em><\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

Companies that choose to integrate payments into their B2B software offerings must consider risk from a number of perspectives. This week, we report on some of the fundamental issues and decision points behind payment facilitators\u2019 relationship with the industry data security standard.<\/p>\n","protected":false},"author":21,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":true,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","_FSMCFIC_featured_image_caption":"","_FSMCFIC_featured_image_nocaption":"","_FSMCFIC_featured_image_hide":"","footnotes":""},"categories":[1017,6,7,8],"tags":[48,122,473,671,674,687,771,877],"class_list":["post-4219","post","type-post","status-publish","format-standard","hentry","category-get-started","category-recent","category-risk-compliance","category-technology","tag-aml","tag-bsa","tag-kyc","tag-pci","tag-pci-dss","tag-pfworld2018","tag-saas","tag-the-payment-facilitator-model"],"acf":[],"_links":{"self":[{"href":"http:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/posts\/4219","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/users\/21"}],"replies":[{"embeddable":true,"href":"http:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/comments?post=4219"}],"version-history":[{"count":1,"href":"http:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/posts\/4219\/revisions"}],"predecessor-version":[{"id":7196,"href":"http:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/posts\/4219\/revisions\/7196"}],"wp:attachment":[{"href":"http:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/media?parent=4219"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/categories?post=4219"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/infinicept.com\/payment-facilitator\/wp-json\/wp\/v2\/tags?post=4219"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}