Payment Processing Compliance Explained

Understand and Simplify Payment Compliance to Protect Your Business and Customers

With the surge in global eCommerce, it’s more imperative than ever for online businesses to protect their revenue, reputation and customers. It’s important to understand payment processing compliance, but maintaining payment security can be confusing. Rapyd simplifies compliance, fraud and security for our customers, and we’ve created this guide to make compliance easy to understand for you.

Why Payment Processing Compliance Matters

Global digital payments are expected to reach $5,439.8 billion in 2020.¹ The digitization of businesses and the adoption of technologies by merchants and consumers have made online payments easier and more convenient. Innovative solutions address the needs of many who are unbanked or underbanked, further increasing rates of financial inclusion. As digital commerce surges in popularity, the growth of cybercrime is not far behind.

• The average cost of a data breach is now $3.92 million²
• Costs have increased 12% over the last five years and continue to increase every year
• Costs include regulatory fines, internal time and effort, lost opportunities, customer churn and bad publicity.

A number of privacy and data security standards have been established to protect businesses and individuals from fraud. Many countries have their own unique set of regulatory and licensing requirements to securely govern payments. Understanding and making sure you are meeting these requirements is essential to protecting your business and your customers.  

How Can Merchants Make Payment Processing Compliance Easier?

Merchants face a complex challenge to understand and achieve compliance across all the jurisdictions in which they operate. Being proactive is the best defence against a data breach. And that means understanding compliance requirements and working with a payment service provider that helps you manage and maintain compliance and protect against data breaches and fraud – allowing you to focus their efforts on expanding your business.

Global Payment Industry Standards

Merchants that do business domestically and internationally need to protect their own businesses and the personal and financial data of their customers. This starts with knowing the payment processing compliance standards they are obliged to adhere to.

PCI Compliance

What is PCI DSS compliance?

The PCI DSS standard was designed as a minimum standard to protect cardholder data from fraud. The standard was developed by the Payment Card Industry Security Standards Council (PCI SSC) which is made up of American Express, Discover Financial Services, JCB International, MasterCard and Visa. With 12 high-level requirements the standard enforces controls around the storage, transmission and processing of cardholder data. The level of compliance to be achieved is based on the number of transactions processed by the organization each year.

Why PCI DSS compliance is required

Security must be a priority for merchants processing customer and payment data. A data breach can impact not only sales, but can involve fines and cause irrevocable damage to the reputation of the business. As an ongoing effort, PCI compliance examines how data is handled across the organization to identify potential vulnerabilities that could put cardholder data at risk so they can be addressed.

How is PCI Compliance enforced?

Although companies are not legally compelled to be PCI DSS compliant, the PCI SSC may impose penalties for noncompliance. PCI compliance is enforced by the five payment card brands that make up the PCI SSC. Each has their own guidelines, requirements, deadlines, definitions and penalties for noncompliance.

How expensive is PCI-DSS?

PCI compliance cost is based on a number of factors including the type of business, size and the number of employees responsible for processing data. The volume, location and configuration of physical hardware is also a factor. Businesses without the specialist knowledge in-house to manage compliance may also need to budget for external consultants.

What happens if you aren’t PCI compliant?

Noncompliance is a strong signal that a business is vulnerable to a breach. The PCI SCA will impose fines on businesses found to be non compliant. The consequences of a data breach for a non-compliant business are significant and can include costly fines and penalties in addition to significant reputational damage. If cardholder data is compromised and account numbers have been fraudulently used there may be additional costs. Businesses may also lose the right to accept payment cards or have their account suspended.

PSD2 – Revised Payment Services Directive

What is the Revised Payment Services Directive (PSD2)

The second Payment Services Directive (PSD2) is a framework of laws and regulations for payment services in the European Union (EU).The first directive (PSD1) did not keep pace with the development of the industry and the impact of technology on payments. PSD2 helps make electronic payments safer and increases consumer protection with the addition of Strong Customer Authentication (SCA).

What is Strong Customer Authentication (SCA)?

The role of SCA is to reduce fraud and increase online payments security. PSD2 requires SCA to be used in all customer-initiated online payments within Europe and for online card payments where the business and the card holder’s bank are in the European Economic Area (EEA). SCA uses two or more elements in the authentication process:

• Something you know (knowledge), such as a password or PIN
• Something you have (possession), such as a badge or smartphone
• Something you are (inheritance), such as fingerprints or voice recognition

How does a business manage PSD2 and SCA?

Any business that offers payments from their website needs to ensure that SCA checks are part of the checkout process. SCA is enabled by 3D Secure 2.0 (3DS2).

3D Secure 2.0 (3DS2)

What is 3D Secure?

3D Secure is an advanced authentication layer. It prevents unauthorized use of cards and protects eCommerce merchants and issuers from exposure to fraud. The name “3D” is short for “3 Domain”, referencing the issuer domain, acquirer domain, and interoperability domain. Each of the card brands has their own branded 3D Secure offering.

• American Express Safekey®
• Discover ProtectBuy®
• Mastercard SecureCode®
• Visa Secure®

How does 3D Secure work?

The protocol enables merchants, card networks, and financial institutions to share information to authenticate transactions. However, in the first iteration of the protocol this additional step introduced friction to the checkout process and a rise in cart abandonment.

What is 3D Secure 2.0?

The new version of the protocol was required to support mobile-based authentication and digital wallets integration – while delivering both the levels of security and performance for optimal user experience. Additional information is sent with each transaction to allow the bank to verify the cardholder. If verified, the transaction continues in a “frictionless” flow – making checkout faster and easier. If there is an issue, the bank will respond with a “challenge” for user authentication within the customer or bank’s application for a better user experience.

What are the benefits of 3D Secure 2.0?

The removal of the requirement for cardholders to manually enter a password required in version 1.0 has seen an improvement in cart abandonment rates. A rich dataset about the cardholder and the transaction allows for the issuer to make better decisions as to whether or not a transaction is fraudulent. Cardholders benefit from a higher degree of comfort that their card is not being misused.

KYB and KYC Verification requirements

What is KYC & KYB?

Know Your Customer (KYC) and Know Your Business (KYB) are verification processes where all regulated businesses identify and check potential individual (KYC) and business (KYB) clients. Also referred to as Customer Due Diligence this requires the collection and cross checking of information about the customers or businesses from across multiple data sources. The confidential customer data used in the verification process must be managed in accordance with data protection regulations.

What are KYC & KYB Verification requirements?

KYC verification requires businesses, from almost every industry, to identify customers before on-boarding or accepting payments from them. Transactions exceeding the maximum transaction threshold (most often $10000) should be reported.

KYB regulations apply to businesses including financial institutions, legal sector, virtual asset dealers and precious metal dealers and require the screening of prospects before engaging in any B2B relationships. The role of the verification is to prevent criminal entities exploiting loopholes in financial infrastructures to engage in money laundering and terrorist financing globally.

GDPR and CCPA

What is GDPR

The General Data Protection Regulation (GDPR) is a framework designed to give EU citizens more control over their personal data. Organizations must ensure that personal data is gathered legally and under strict conditions, protect it from misuse and exploitation and respect the rights of data owners. GDPR applies to any organization operating within the EU, and organizations outside of the EU offering goods or services to customers or businesses in the EU.

What is Personal Data?

Personal data is “any information related to a natural person or ‘Data Subject’ that can be used to directly or indirectly identify the person. It can be anything from a name, a photo, an email address, bank details, and posts on social networking websites, medical information, or a computer IP address.”³

What does GDPR mean for a business?

GDPR ensures that a business controls and processes all data lawfully, transparently and for a specific purpose. The consent given must relate to that purpose. If the data is no longer required – it must be deleted. There is an obligation to protect data from misuse and exploitation and to respect the rights of data owners – or face penalties. Individual businesses need to consider the personal data they work with – how it is gathered, processed and managed so they comply with GDPR.

What is CCPA?

The California Consumer Privacy Act (CCPA) empowers Californians to request businesses to disclose or delete the data they have already collected, or to opt out of third-party data sales. Although both the CCPA and GDPR share the goal of protecting the privacy of individuals they take different approaches.

The primary difference between these two approaches is GDPR requires businesses to have a legal basis for processing personal data in the EU, CCPA allows businesses to process consumers’ data unless the individual exercises their right to opt-out from having their data sold.

Other Common Payment Processing Compliance and Security Terms

Anti-Money Laundering (AML) and Counter Terrorist Financing (CTF) –  AML/CFT rules are designed to prevent financial markets being misused for criminal activities, enhance international security and promote the integrity of global financial systems.  

CAPTCHA – A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is used on websites to verify whether the user is real or a spam robot. CAPTCHAs manipulate letters and numbers, making them difficult for computers to read and rely on human ability to determine what they are. For CAPTCHAs to be most effective images are distorted randomly and changed frequently so they can not be “learned”.

Multi-Factor Authentication – Multi-Factor Authentication (MFA) plays a key role in identity and access management (IAM). As an alternative to requesting a username and password MFA verifies the user’s identity by requiring multiple credentials. These credentials can be anything from a code, an answer to a security question or a fingerprint. This layered approach creates a greater level of confidence in the user being who they say they are.

Sanctions Screening –  Sanctions screening is an integral part of AML/CFT regulations. It involves verifying names, or aliases of individuals, groups or companies against designated and regularly updated sanction lists. To be effective and accurate, the process must continue to be up to date and check against constantly changing lists.

SSL and TLS – (Transport Layer Security) TLS and (Secure Sockets Layer) SSL are protocols that encrypt data and authenticate a connection when moving data on the Internet. TLS is an updated version of SSL that offers more security. Sensitive information is encrypted and only accessible by the intended recipient can access it – protecting it from malicious actors. SSL certificates are issued to companies that successfully complete a series of checks. The proper usage of an SSL Certificate is a requirement of the Payment Card Industry (PCI) standards.

Tokenization – Tokenization turns data into a random string of characters (a token) that has no meaningful value if breached. No mathematical process is used to create the token and no key can be used to convert it back to its original format. The relationship between the data and the token is stored in a database, called a token vault. Because it replaces sensitive data with a non-sensitive digital equivalent, Tokenization is particularly useful when securing payment card data and can reduce the merchants PCI DSS obligations.

What’s the Best Solution for Payment Processing Compliance?

You need a comprehensive, global approach to payment processing compliance that evolves in response to requirements. Working with a payment platform that manages compliance seamlessly is a smart approach that allows focus and resources to remain where they can be most effective – on your core business.

Rapyd manages local licensing and regulations to maintain payment compliance. Rapyd also provides built-in AML, CTF, sanctions screening, tokenization and encryption, and KYC and KYB identity verification, making it easy to offer local payment methods, securely, anywhere you do business.

Simplify Global Payment Processing Compliance with Rapyd Collect

Sources:

1. MarketWatch, Global Digital Payments Market Industry Analysis, 2020
2. https://www.ibm.com/security/data-breach
3. https://gdpr-info.eu/art-4-gdpr/