Pay By Group University: Payment Processing for Card-Not-Present Merchants 104
Welcome to our fourth and final article laying out the benefits, costs, and risks associated with accepting card-not-present payments in your business. In this article we’ll wrap up with a look at the costs of complying with Payment Card Industry and EMV technology requirements and a final thought on weighing the total cost of acceptance. Let’s dive in!
PCI compliance in payment processing
The Payment Card Industry Data Security Standards is a “framework of specifications, tools, measurements, and support resources to help organizations ensure the safe handling of cardholder information.” It was created by Visa to provide businesses with a consistent data security protocol. Compliance has benefits as outlined in previously in this series, and as will be expanded upon later in this article so merchants should ensure that they are compliant with this protocol.
There are 12 security requirements, each involving multiple tasks & steps, that protect sensitive cardholder data. They are:
- Install and maintain a firewall to protect cardholder data
- Do not use vendor-supplied default passwords or security parameters, but make them business-specific
- Protect any stored data
- Encrypt cardholder data transmissions across public networks
- Use regularly-updated antivirus software
- Develop/maintain secure systems & applications
- Restrict access to cardholder data by business need-to-know basis
- Assign a unique ID to each employee with system access (no sharing of credentials)
- Restrict physical access to cardholder data
- Track and monitor all access to cardholder data
- Regularly test security
- Maintain a comprehensive information security policy
Businesses should also be aware of the impact of EMV migration from both a regulatory standpoint as well as the costs incurred by supporting the technology.
Strike the right balance
Compliance is an ongoing cycle of tasks & security measures. There are four levels of compliance and associated costs, which include upfront infrastructure and technology costs & year-to-year compliance costs. Level One is for merchants processing the highest tier of transactions and therefore incurs the highest costs, which decrease from there.
- Level One entails annual on-site PCI data security assessment by a third party vendor in addition to quarterly network scans. Visa, MasterCard, and Discover require this level of compliance from businesses that process more than six million credit card transactions (by any acceptance channel) per year. American Express requires this level of compliance for businesses processing more than 2.5 million Amex transactions per year. Becoming compliant can cost between $550,000 and $1,000,000, and annual PCI cost is $250,000.
- Level Two entails annual self assessment and quarterly scans as above, and costs $260,000 to $500,000 to become compliant and $100,000 in annual PCI cost. Visa, MasterCard, and Discover require this level of compliance from businesses that process one to six million annual transactions regardless of channel; American Express requires this from merchants processing between 50,000 and 2.5 million in annual Amex transactions.
- Level Three entails the same compliance requirements as above, and costs $75,000 to $90,000 to become compliant and $35,000 in annual PCI cost. Visa, MasterCard, and Discover require it from businesses processing 20,000 to one million channel-agnostic online transactions annually; American Express requires it from businesses processing fewer than 50,000 annual Amex transactions.
- Level Four entails the same requirements and costs as Level Three, and only applies to merchants processing either less than 20,000 e-commerce Visa, MasterCard, and Discover transactions per year, or one million transactions via any channel.
The new sheriff in town: PCI 3.1
- Penetration testing: Merchants must verify the methods they use to segment cardholder data environments (CDEs) from other less-sensitive areas, and both internal and external penetration testing must adhere to industry-accepted testing methodologies. Smaller merchants must ensure that their partner vendors conform with these methodologies.
- Inventorying system components: Merchants must compile a list of software and hardware components involved in the CDE, including the function of and use for each entry.
- Vendor relationships: Merchants must clearly delineate vendor relationships related to managing PCI DSS requirements, including explicit documentation of the segregation of roles where a merchant manages part of a given duty and a vendor manages another.
- Anti-malware: Merchants must continuously monitor evolving malware threats, even for systems not commonly considered to be vulnerable to malicious software. A process must be in place to either ensure that such systems (e.g. Unix servers) remain unaffected by malware, or that the merchant is aware of any new threats to those systems as they emerge. Additionally, anti-virus and anti-malware systems may only be disabled in time-limited fashions and must be able to lock out users attempting to disable them outside of such parameters.
- Physical access & point of sale: Merchants must control the physical access of on-site personnel to cardholder data on the basis of job function, and be able to instantly revoke access in the event of termination. Merchants must also protect point-of-sale devices from tampering and substitution.
The compliance bottom line
Monthly fines for non-compliance can range from four- to six-figure amounts at the discretion of the payment brand, and typically fall to the merchant after passing through the acquiring bank. Merchants also risk increased transaction fees and ultimately the termination of their banking relationships.
Data security breaches can incur fines of $50 to $95 per account compromised and increase the liability of customer lawsuits. Credit card account providers may suspend acceptance for non-compliant merchants after security breaches, and merchants run the risk of costly damage to their brand and reputation. In the end, non-compliance is usually much more expensive than compliance, despite sometimes daunting upfront costs.
Future impacts of EMV
EMV chip technology has rolled out en masse in the U.S., and has been a widely-accepted tool for securing and authenticating cardholder data on payment tools (so-called “chip cards,” mobile phones, etc.) in other parts of the globe, such as Europe, for some time. While this rollout will defray fraud for card-present commerce, card-not-present fraud is expected to more than double from its current annual volume to over $6 billion by 2018.
For Visa merchants, fraud liability will shift to the acquirer if they do not use an EMV-enabled point-of-sale device for both domestic and cross-border card-present transactions. Put another way, merchants and their banks will shoulder the burden of fraud if they don’t comply with this emerging standard, but will be protected to a greater degree if they do. This may very well become the case for card-not-present merchants who do not comply with the emerging EMVCo Tokenization standard discussed in our previous article.
Assess the total cost of acceptance
As we’ve seen in this series of articles, the total cost of accepting card-not-present transactions is unique from business to business, and considerations that must be weighed include the monetary costs of compliance and infrastructure as well as the benefits and limitations of various payment processing options. Payments expenses are a part of doing business, but by following industry standards and best practices merchants can minimize these expenses and even drive greater revenue and growth over the long term.