By Heather Mark, Ph.D., CCEP, Director, Compliance & Security
Independent Software Vendors (ISVs) can leverage payments as a way to provide a more comprehensive suite of services to their customers and doing so also provides revenue opportunities. But with that comes some responsibilities that are unique to payments, such as compliance with the Card Brand regulations. Understanding those responsibilities, and the role that ISVs can play in maintaining the security and soundness of the payments ecosystem, can help ensure a strong, long-lasting, and mutually beneficial payments partnership.
So are ISVs expected to become payments experts? Not at all. Choose your partner wisely and they can help you navigate payments, leaving you to the stuff you do best. That said, there are a few things ISVs can do to demonstrate that they take seriously the compliance and liability aspect of the payments space. Why would you want to do that? Because it’s the right thing to do for your customers, partners, and your business.
First, know your customers. Payments partners, whether a payment facilitator or an acquiring bank, will want to understand the full business opportunity. That means the risk as well as the reward. What does your average customer look like? Do you have a specific vertical to which you cater? In that vertical, what are the risk trends (e.g., if you provide a platform to sell luxury goods on a peer to peer basis, what is the percentage of counterfeit goods that are sold, or attempted to be sold, on your platform?). Any controls that are in place to monitor and potentially mitigate these known risks should be well-documented. Is your customer base subject to seasonality? Knowing that can help in monitoring for anomalous, suspicious behaviors. This type of information allows payment partners to garner a more complete understanding of the potential risk profile of the merchants being onboarded to their system.
Secondly, document your practices and policies. You may not need to have robust anti-money laundering policies, but you will need to have an information security policy. You may also need to address behaviors or practices that are prohibited or restricted on your platform, and how you monitor for those activities. These documents don’t need to be huge volumes that address every contingency, but they should be commensurate with the size and complexity of your organization. It should also account for whether or not your platform handles toxic data (data that would damage your company or your customers if its leaks, like personally identifiable information). One side note: there are multiple places online that allow companies to download policy templates. These are good tools and allow companies that may be new to policy development to have a jumping off point, but that’s all they are – a jumping off point. Make sure to customize these templates so that they make sense for your organization.
Finally, know the regulations that impact your vertical. If you provide billing software for healthcare, you should be familiar with HIPAA/HITECH and the impact that those regulations have on your business. While your payment partner may be very familiar with those regulations, you should be the expert on how those regulations impact your business. Perhaps there are nuances that you can share with your payment partner that can improve your experience with them and they can better support your compliance initiatives.
One of the things that most new entrants into the payments world lose sight of is that compliance doesn’t simply mean compliance with regulation. It also means compliance with the Card Brand Rules, sometimes referred to as the OpRegs. The Card Brands have complex standards that they expect all members of the payment ecosystem to uphold. This includes things like preventing people from misusing the payments systems through fraudulent or illegal transactions, laundering funds, counterfeiting goods or services, or processing transactions in a way that is non-compliant (for example, charging a convenience fee on a face to face, or card present, transaction.) Merchants and service providers alike are expected to comply with these rules and to prevent their systems, platforms, or channels from being used to circumvent those rules.
And, don’t forget about PCI DSS…Speaking of compliance, you will need to understand the Payment Card Industry Data Security Standard (PCI DSS). This standard is required of all entities that store, process, or transmit cardholder data. The PCI DSS sets a minimum standard of security controls around payment card data. All merchants must comply with the standard and validate compliance, irrespective of their interaction with cardholder data. The way in which they validate will vary according to how they accept payments and the volume of payments that they accept. Service Providers, the category into which most ISVs will fall, may have to validate compliance, depending upon how they interact with the cardholder data. It is important to know that the acquiring bank is the ultimate arbiter of who must comply and how. If an ISV is determined to be a service provider, it must validate with either an onsite assessment by a Qualified Security Assessor (QSA) or by completing the Self-Assessment Questionnaire D-Service Provider. (Note: this paragraph is an exceptionally brief discussion of the PCI DSS and by no means covers all of its nuance. For more information, visit www.pcisecuritystandards.org). The short story here is that, compliance with the PCI DSS helps elevate security in the industry at large, and mitigates the risk to you and your customers.
Adding payments to your software application doesn’t have to be intimidating or overwhelming from a compliance perspective. Choose your payment vendor carefully and they can do the heavy lifting. Make sure you understand the role that ISVs can play in maintaining the security of the payments ecosystem and your compliance footprint.
Interested in partnering? Contact Us
