PCI and Payment Facilitation: What are PFs Responsible For?

Companies that choose to integrate payments into their B2B software offerings must consider risk from a number of perspectives. The world of risk management and compliance is filled with acronyms associated with securing the payments ecosystem: BSA, KYC and AML, just to name a few.

The acronym list would not be complete without mentioning a fundamental area of concern for anyone associated with payments data: PCI. This week, we report on some of the issues and decision points behind payment facilitators’ relationship with the industry data security standard.


What is PCI?

The Payment Card Industry Data Security Standard (PCI DSS), often referred to simply as PCI, is a critical component of the card brands’ data security programs. The standard provides payment security guidelines for organizations that store, process or transmit cardholder data.

PCI is the result of an important industry collaboration that protects the integrity of the payments system. The standard was developed and is maintained by the PCI Security Standards Council, which was founded by all five card networks (American Express, Discover Financial Services, JCB International, MasterCard, and Visa). Participation in the Council is open to representatives from all sectors of the payments industry.

Why should SaaS companies care?

PCI is at the heart of what the decision to handle payments requires – a commitment to investing the resources needed to protect the payments ecosystem at every entry point.

That applies to merchants and their services providers alike, creating two distinct issues for payment facilitators, according to Chris Bucolo, VP of market strategy for ControlScan. PFs are responsible for their own PCI compliance. But they are also responsible to make sure that their submerchants comply with the PCI standards.

“It’s very clear that the PCI buck stops at the payment facilitator,” Bucolo said.

To be deemed compliant with PCI, businesses must first undertake assessments to determine where their security vulnerabilities might be. Then they must take steps to mitigate those vulnerabilities and submit regular reports. Compliance is enforced by card networks and acquiring banks.

PCI, partnerships and scope

Key to any conversation about PCI compliance is an understanding of scope. PCI scope refers to the elements of a business’s environment – the people, systems or technology – that touch the cardholder data.

According to Bucolo, the issues of PCI scope and compliance are a fundamental factor behind the ultimate structure of the business, making early conversations a necessity.

As is so often the case, businesses that are considering becoming payment facilitators must weigh the user experience they are looking to provide their customers – and the subsequent desire for control over that experience – against the benefits of outsourcing parts of their business in a way that reduces their PCI compliance burden when deciding how to structure their business model.

“If the PF feels that they don’t want to fully outsource an ecommerce hosted solution, for example, and they want control over the web site and what the customer sees to provide an experience that only they can provide, their scope will be larger,” he said.

“So you have to make that decision – is it better for your business model to have the larger scope and keep more of the risk and subsequent costs? Or does it make sense to outsource more and have a little bit less involvement and control over the process, but have a smaller scope and lower risk?” he asked.

Reducing residual scope

While PFs have to concern themselves with PCI compliance both for themselves and for their submerchants, the two are very much interrelated, Bucolo said.

“Whatever risk isn’t handled by the processor and isn’t handled by the payment facilitator is left over for the merchant to handle,” he said.

Bucolo calls that “leftover” responsibility residual scope. And the current aim of the payment facilitator model is often to reduce that residual scope as much as possible, often with the use of technology. If a payment facilitator is managing hosting and processing for the submerchant – who as a result is touching very little data – the submerchant’s scope will typically be small, he said.

“Often, it’s a situation where the merchant has some ability to use an application but they’re not doing much else. They’re still subject to PCI, but the scope of what they’re responsible for may be very limited. That’s what many payment facilitators are driving toward,” Bucolo said.

Bucolo gives the example of a company that provides software to realty companies to collect homeowners’ association payments. In this example, the consumer pays their fees through an app, which is managed by the payment facilitator or their partner. That type of structure limits the scope for the submerchant – in this case, the realty company.

“The submerchant can let the technology or the app do most of the work and let the payment facilitator – and whoever they’re relying on for backroom assistance – worry about the processes associated with that app. So they typically should just have a limited number of things to be concerned with,” Bucolo said.

Learn more about PCI compliance from Chris Bucolo at PF WORLD 2018 on Sept. 25 in New York City.

PF WORLD 2018 is the first-ever standalone event focused exclusively on the payment facilitator ecosystem. It’s designed to tackle the challenges unique to payment facilitators head-on and provide the chance to network directly with the top names in the industry.

Seats are limited and going fast for this special event, so save your space by registering now.



Payment facilitators always need to consult with their acquirers and attorneys or other advisers for detailed advice particular to their situations.