Podcast: Play in new window | Download
Today, most insurance, utility, and healthcare companies are not PCI compliant. In fact, just 27% of them are, despite the existence of regulations and organizations that can help businesses achieve and maintain compliance.
To learn more about how insurance companies, utilities, and healthcare networks can navigate the constantly evolving security and compliance landscape, PaymentsJournal sat down with Nirmal Kumar, CTO and Head of Product at Aliaswire, and Don Apgar, Director of the Merchant Services Advisory Practice at Mercator Advisory Group.
What is PCI compliance?
PCI compliance refers to complying with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of security standards that has existed since 2004. It was created by the major card brands Visa, Mastercard, American Express, Discover, and JCB to ensure that businesses storing, processing, or transmitting payment card data do so within a secure environment and meet the minimum baseline of security control requirements.
Securing payment card data must be a top priority for any business processing card payments. “The card brands instituted [PCI] because it builds trust between the business and the customer. If I am paying my bill, I want to be sure that my card information is secure in your environment and in your technology,” explained Kumar. If merchants fail to protect their customers’ payment card information, those customers are unlikely to trust them for a future purchase.
Businesses struggle to comply with PCI DSS
Despite its undeniable importance, many businesses struggle to fully comply with PCI DSS. Simply put, compliance is often easier said than done. Rather than just a one-time technology investment, PCI compliance requires the participation of multiple areas throughout an organization. It involves process, personnel, technology, encryption and security.
“A company might make large technology investments to become compliant, but because of the ever-changing security threats and upgrades to the standards, it’s hard to keep up. It requires a constant upkeep of systems, personnel and processes,” said Kumar.
Despite the potential for severe repercussions, compliance sustainability continues to decline as a decreasing percentage of organizations demonstrate the ability to keep a minimum baseline of security controls in place. According to Verizon, fewer than one-third (27.9%) of organizations maintained their required set of PCI data security controls during their 12-month compliance cycle in 2019.
The pandemic played a role in this decline. The socially distant nature of the COVID environment forced many businesses to pivot quickly to online and mobile commerce channels to interact with customers. In the rush to do so, security was easy to overlook. Ongoing updates to PCI DSS also contribute to the difficulty in becoming and remaining compliant.
“You’ve got the double whammy of increasingly complex PCI standards… and also merchants being pressured to use payment data in more ways and accept it in more places, and that just compounds the problems of how to keep it secure,” said Apgar.
How can organizations manage compliance?
An effective way for organizations to achieve PCI compliance is to outsource it to an experienced partner. “One of the things they can do is outsource… their billing and payment-related needs to fully integrated partners. And the reason I bring up fully integrated partners is because you do not want to compromise on your user experience,” said Kumar.
Prioritizing compliance does not mean that organizations should risk adding friction to the customer experience. “You do not want to create that extra step for your users to go to some other website or have a very clumsy way of entering the card data,” he added.
Aliaswire’s DirectBiller solution is level one PCI-DSS compliant. Billers who partner with Aliaswire only have to fill out a shortened form, the PCI self-assessment questionnaire (SAQ)-A form, where they attest that no credit card data traverses the biller’s environment.
“This can be a great, cost-effective way of accepting payments – having a platform that gives you capabilities like single sign-on and all the integration points so that your user experience is not degraded, while maintaining security and compliance around the PCI data,” explained Kumar.
Apgar agreed, adding that “it’s pretty clear that best practice for a lot of vertical markets is exactly that: keep the data out of my system and then I don’t have to worry about PCI compliance. And the attestation becomes a rubber stamp because when [regulators] ask me how I am safeguarding data, the answer is easy. I don’t have any data. I have a partner that specializes in that business that’s doing it for me,” said Apgar.
What outsourced PCI compliance looks like
To Kumar, outsourced PCI compliance starts with the right partner. “Find a partner that has the capabilities to provide you with all the integrations you need, so that you do not have to compromise on the user experience. You may already have a portal, or if you want to add payment acceptance capability, your user should be able to single sign-on and make a payment.”
“If you have complex workflows and accept payment or card data, you’ll want to have options for tokenization of the card data. Your partner takes the card data from the customer’s browser to their servers. It doesn’t even go to your server during transition. This allows you to avoid storing or transitioning the card data.”
It’s important to find a partner that can provide all options – whether it’s a quick button that takes your customer to a different website, a single sign-on experience, or a secure tokenization widget that can be embedded into your complex workflow.
PCI compliance partners should also be able to provide compliance reports and conduct independent screenings to give businesses the comfort they need to know they are well taken care of.