The Cost of Non-Compliance

By Dr. Heather Mark

In recent years, the payments space has seen an explosion of new players.  This dramatic growth is good for the industry.  It drives competition and innovation.  The pace of change brings with it challenges, too.  One of those challenges can be the adaptation of traditional software companies to the unique risk and compliance requirements in the payments ecosystem.  These compliance obligations are often viewed as costly requirements that add friction to the process, but in reality they not only protect the company’s clients and end-users, it also protects the company’s revenue.  A common question among those new to the payments world is, “how much does compliance cost?”  That question, though, is a little myopic.  A more cogent question might be “how much will it cost our company to be non-compliant?”

In the payments industry, the consequence of non-compliance that comes to mind is the assessment associated with non-compliance with the Payment Card Industry Data Security Standards.   Each of the card brands assesses penalties separately, so a non-compliance finding or a breach carried with it the possibility of assessments from each of the four card brands.  For example, Visa’s published non-compliance assessment schedule (available in its Core Rules ) begins at up to $50,000 per non-compliance finding for the first violation. Mastercard’s assessment schedule can be found in their Rules, as well.  The assessments increase sharply for subsequent findings.  It should be noted that these assessments are merely for not being compliant with the security requirements promulgated by the brands.  This is not an assessment as a result of a breach.

In addition to the card brand consequences of non-compliance, in the event of a breach that exposes cardholder data, the bad news piles up quickly. All fifty states now have data breach notification requirements, meaning that an entity that suffers a breach in which personal data is compromised and there is a high risk of identity theft or financial fraud must notify affected consumers.  While the cost of notification and managing the public relations fall-out is high, so too is the likelihood of a class action suit.  While these suits are often dismissed on the grounds that the plaintiffs don’t have standing (fertile ground for another blog post) the fact is that companies legal spend skyrockets in responding to these cases and working to get them dismissed.

In egregious cases, companies may attract the notice of the federal regulators.  The Federal Trade Commission (FTC) is tasked with protecting consumers from unfair and deceptive trade practices.  The FTC has used this power, provided by §5A of the Federal Trade Commission Act, to take action in the event of a data breach in which consumer data is exposed.  A list of FTC enforcement actions regarding Privacy and Security related events can be found on the FTC website.  In egregious cases, entities may face fines and penalties, pay remuneration to affected consumers, and may be required to submit their compliance or security programs to FTC oversight for up to 20 years.

Fortunately, there are means to reduce interaction with regulated or protected data.  Some of these methods include:

  • Hosted Payment Pages – merchants can accept payments through the use of a hosted payment page. The Payment Page is hosted by a PCI DSS validated, registered service provider.  The payment information posts directly from the consumer to the service provider, bypassing the environment of the healthcare provider.
  • Tokenization – in this solution, the payment information is replaced with a randomly generated value that used to represent the payment mechanism. The healthcare provider can still use that token to process subsequent payments, as may be useful for patients on payment plans, reporting purposes, patient payment analysis, and chargeback or dispute purposes.  The benefit here is the reduced payment data footprint within the organization.
  • PCI Validated Point to Point Encryption (P2PE) – a P2PE solution is one in which the cardholder data is encrypted from the point of interaction (swipe, dip, entry) all the way through the processor. The payment is processed, but when the authorization response is sent to the healthcare organization, the payment data is replaced with a token.

While the regulatory environment is constantly changing, and threats to data will continue to evolve, the payments industry continues to adapt technologies to mitigate the risk to data.  Understanding how these technologies can be deployed to mitigate your data risk can help improve the customer experience and protect your bottom line.

Nashville Venture Connections Publication features Sphere in the article, “Nashville fintech: Waud-backed SphereCommerce eyes M&A opportunities.”

Here is a preview:
Sphere, the integrated payments technology and security software provider, won’t be deterred in its role as M&A consolidator by the frothy valuations it often observes, said Executive Chairman Andrew Rueff, whose office is in downtown Nashville, his hometown.

Read the full article here: http://www.venturenashville.com/fintech-spherecommerce-llc-cms-1898

 

HIMSS

March 9-13, 2020
Orlando, FL | Orange County Convention Center
https://www.himssconference.org/

Epic UGM

August 27 -28, 2019
Verona, WI | Epic’s Verona Campus
https://ugm.epic.com/

ACN Detroit

September 13 -15, 2019
Detroit, MI | Cobo Center
https://acn.com/us-en/training-events

ACN Gold Coast Australia

September 27 -29, 2019
Broadbeach, QLD | Gold Coast Convention & Exhibition Centre
https://acn.com/au-en/training-events

By Heather Mark, Ph.D., CCEP, Director, Compliance & Security

Independent Software Vendors (ISVs) can leverage payments as a way to provide a more comprehensive suite of services to their customers and doing so also provides revenue opportunities.  But with that comes some responsibilities that are unique to payments, such as compliance with the Card Brand regulations.  Understanding those responsibilities, and the role that ISVs can play in maintaining the security and soundness of the payments ecosystem, can help ensure a strong, long-lasting, and mutually beneficial payments partnership.

So are ISVs expected to become payments experts?   Not at all. Choose your partner wisely and they can help you navigate payments, leaving you to the stuff you do best.  That said, there are a few things ISVs can do to demonstrate that they take seriously the compliance and liability aspect of the payments space.  Why would you want to do that? Because it’s the right thing to do for your customers, partners, and your business.

First, know your customers.  Payments partners, whether a payment facilitator or an acquiring bank, will want to understand the full business opportunity.  That means the risk as well as the reward.  What does your average customer look like?  Do you have a specific vertical to which you cater?  In that vertical, what are the risk trends (e.g., if you provide a platform to sell luxury goods on a peer to peer basis, what is the percentage of counterfeit goods that are sold, or attempted to be sold, on your platform?).  Any controls that are in place to monitor and potentially mitigate these known risks should be well-documented. Is your customer base subject to seasonality? Knowing that can help in monitoring for anomalous, suspicious behaviors. This type of information allows payment partners to garner a more complete understanding of the potential risk profile of the merchants being onboarded to their system.

Secondly, document your practices and policies.  You may not need to have robust anti-money laundering policies, but you will need to have an information security policy.  You may also need to address behaviors or practices that are prohibited or restricted on your platform, and how you monitor for those activities.  These documents don’t need to be huge volumes that address every contingency, but they should be commensurate with the size and complexity of your organization.  It should also account for whether or not your platform handles toxic data (data that would damage your company or your customers if its leaks, like personally identifiable information).  One side note: there are multiple places online that allow companies to download policy templates.  These are good tools and allow companies that may be new to policy development to have a jumping off point, but that’s all they are – a jumping off point.  Make sure to customize these templates so that they make sense for your organization.

Finally, know the regulations that impact your vertical.  If you provide billing software for healthcare, you should be familiar with HIPAA/HITECH and the impact that those regulations have on your business.  While your payment partner may be very familiar with those regulations, you should be the expert on how those regulations impact your business.  Perhaps there are nuances that you can share with your payment partner that can improve your experience with them and they can better support your compliance initiatives.

One of the things that most new entrants into the payments world lose sight of is that compliance doesn’t simply mean compliance with regulation.  It also means compliance with the Card Brand Rules, sometimes referred to as the OpRegs.  The Card Brands have complex standards that they expect all members of the payment ecosystem to uphold.  This includes things like preventing people from misusing the payments systems through fraudulent or illegal transactions, laundering funds, counterfeiting goods or services, or processing transactions in a way that is non-compliant (for example, charging a convenience fee on a face to face, or card present, transaction.)  Merchants and service providers alike are expected to comply with these rules and to prevent their systems, platforms, or channels from being used to circumvent those rules.

And, don’t forget about PCI DSS…Speaking of compliance, you will need to understand the Payment Card Industry Data Security Standard (PCI DSS).  This standard is required of all entities that store, process, or transmit cardholder data.  The PCI DSS sets a minimum standard of security controls around payment card data. All merchants must comply with the standard and validate compliance, irrespective of their interaction with cardholder data.  The way in which they validate will vary according to how they accept payments and the volume of payments that they accept.  Service Providers, the category into which most ISVs will fall, may have to validate compliance, depending upon how they interact with the cardholder data. It is important to know that the acquiring bank is the ultimate arbiter of who must comply and how.  If an ISV is determined to be a service provider, it must validate with either an onsite assessment by a Qualified Security Assessor (QSA) or by completing the Self-Assessment Questionnaire D-Service Provider. (Note: this paragraph is an exceptionally brief discussion of the PCI DSS and by no means covers all of its nuance.  For more information, visit www.pcisecuritystandards.org).  The short story here is that, compliance with the PCI DSS helps elevate security in the industry at large, and mitigates the risk to you and your customers.

Adding payments to your software application doesn’t have to be intimidating or overwhelming from a compliance perspective. Choose your payment vendor carefully and they can do the heavy lifting. Make sure you understand the role that ISVs can play in maintaining the security of the payments ecosystem and your compliance footprint.

Interested in partnering? Contact Us

Sphere Launches at Money20/20

NASHVILLE, Tenn. (October 23, 2018) – Sphere, a premier provider of end-to-end integrated payments and security software, makes its debut this week at Money20/20. Founded by executives from some of the largest payment companies and backed by Waud Capital Partners, Sphere delivers a technology-forward integrated commerce platform that makes it easier to securely connect with customers and facilitate their payment transactions. With the recent acquisitions of TrustCommerce and Anovia Payments, Sphere now enables customers within healthcare, parking, education and other key industry verticals to securely accept payments via any omni-channel environment and integrate into enterprise core systems for a seamless, simple and frictionless experience.

“Our name, Sphere, truly reflects our commitment to providing continuous, integrated commerce solutions that are secure and completely surround our customers’ existing business systems,“ said Steve Rizzuto, chief executive officer of Sphere. “We are committed to transforming payment technology by focusing on simple, highly integrated, client-centric solutions across diverse vertical industry ecosystems.”

Powered by TrustCommerce, the leading provider of secure payment processing, Sphere’s end-to-end technology-driven solutions offer businesses of all sizes the confidence of knowing transactions are safe, secure and backed by best-in-class customer service. Sphere delivers secure integrated payment solutions to enterprises and merchants across the United States, Canada, and Australia.

According to Andrew Rueff, executive chairman of Sphere, the technology and software platform combined with the experience of the executive leadership team is what sets Sphere apart from its competitors. “Sphere is truly guided by proven industry leaders and visionaries,“ said Rueff. “The reputation of our senior leaders and their existing relationships in key verticals, in tandem with our intuitive software platform, make Sphere the trusted partner for all commerce activity.”

To learn more, visit www.SphereCommerce.com.

About Sphere

Sphere, through the acquisitions of TrustCommerce and Anovia Payments, is a leading provider of end-to-end integrated payments, security software, payments gateway and merchant acquiring products and services. Sphere serves a variety of companies from large, complex enterprises to small local businesses across a range of end-markets, including healthcare, restaurant, retail, parking, education, transportation, and insurance. Headquartered in Nashville, Tenn., with offices in New York, Orange County and Dallas, Sphere is a Waud Capital Partners private equity company.