Expert Insights: Roundtable on PCI — Key Takeaways

By ETA Payment Facilitator Committee
Chris Bucolo, Sysnet Global Solutions • Lisa Conroy, FIS • Sam Hall, Secure Trust, a Trustwave division • Susie Maxwell, MAXpci

When we look at the history of the payment facilitator (PF) industry, we can infer that there might not have been a huge risk for compliance. PFs came of age in the micromerchant space, where they originally serviced smaller merchants or those limited in scope. Since then, however, the field has matured and evolved. Now, many PFs are servicing the same type of merchants as ISOs.

Recently, Chris Bucolo of Sysnet Global Solutions led a roundtable discussion with ETA’s Payment Facilitator Committee to discuss PCI considerations for payment facilitators, joined by Sam Hall (Secure Trust), Susie Maxwell (MAXpci), and Lisa Conroy (FIS). With more ISOs, ISVs, and other payments players entering the fray or considering the payment facilitation as a business model, our four speakers discussed and reiterated the importance of understanding PCI and to what degree your company might be responsible for it. While becoming a payment facilitator might be a great business model to consider, companies should also be aware of the associated risks: What are the potential fees or fines if your submerchant has a breach? Is your company set up to absorb those costs? Are you willing to take the reputational risk?

If a payment facilitator suffers a breach through its own payment product, this can be far more devastating to business than if an ISO suffers a similar breach. This is why it’s important to have a comprehensive understanding of risk mitigation – and particularly, to understand the scope of responsibility when it comes to PCI. The following are key takeaways from the speakers and their discussion with the committee.

Key Takeaways

• Payment facilitators may hold revisional scope, meaning that in areas where the PF is not covering 100% of all data from cardholders, the submerchant is responsible for whatever is not covered.
• Acquirers and processors must determine what they are comfortable with from a risk standpoint and, at the same time, must survey the landscape and understand what their competitors are offering and doing.
• As a service provider, each company has its own set of PCI obligations, but these don’t necessarily cover all its merchant responsibilities. Areas that merchants are responsible for fall outside what providers cover.
• Ongoing misconceptions and confusion endure in the ecommerce card not present and iframe space. Nothing has changed about how to deal with cardholder data, and we’re likely to see more scrutiny on this acceptance model. As a service provider, a PF should be partnering with, or at least consulting with, a QSA to understand its true scope.
• We are seeing increasing scrutiny from card brands and acquirers to ensure that their PFs are operating in a compliant and secure manner.

Interested in joining the committee? Over the past year, we have worked to harness the collective expertise of ETA and its members through our committees to help navigate industrywide opportunities and challenges. In conjunction with ETA’s Payment Facilitator Committee, for example, we released the third edition of the ETA Payment Facilitator Guidelines to help our members mitigate risk in U.S. card acceptance. The revised document includes updates related to COVID-19, ecommerce, privacy, compliance, graduation of submerchants, and enhanced review of certain marketing practices.