PaymentsJournal
SUBSCRIBE
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
  • Analysts Coverage
  • Truth In Data
  • Podcasts
  • Videos
  • Industry Opinions
  • News
  • Resources
No Result
View All Result
PaymentsJournal
No Result
View All Result

Navigating the Ever-Changing Landscape of PCI Compliance 

PaymentsJournal by PaymentsJournal
March 21, 2022
in Compliance and Regulation, Featured Content, The PaymentsJournal Podcast
0
Navigating the Ever-Changing Landscape of PCI Compliance 

Navigating the Ever-Changing Landscape of PCI Compliance 

0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn
https://media.blubrry.com/paymentsjournal/paymentsjournal.com/wp-content/uploads/2022/03/Aliaswire-002-002_mixdown.mp3

Podcast: Play in new window | Download

Today, most insurance, utility, and healthcare companies are not PCI compliant. In fact, just 27% of them are, despite the existence of regulations and organizations that can help businesses achieve and maintain compliance.  

To learn more about how insurance companies, utilities, and healthcare networks can navigate the constantly evolving security and compliance landscape, PaymentsJournal sat down with Nirmal Kumar, CTO and Head of Product at Aliaswire, and Don Apgar, Director of the Merchant Services Advisory Practice at Mercator Advisory Group. 

PaymentsJournal
Navigating the Ever-Changing Landscape of PCI Compliance 
PaymentsJournal Navigating the Ever-Changing Landscape of PCI Compliance 
PaymentsJournal

What is PCI compliance?  

PCI compliance refers to complying with the Payment Card Industry Data Security Standard (PCI DSS). PCI DSS is a set of security standards that has existed since 2004. It was created by the major card brands Visa, Mastercard, American Express, Discover, and JCB to ensure that businesses storing, processing, or transmitting payment card data do so within a secure environment and meet the minimum baseline of security control requirements.  

Securing payment card data must be a top priority for any business processing card payments. “The card brands instituted [PCI] because it builds trust between the business and the customer. If I am paying my bill, I want to be sure that my card information is secure in your environment and in your technology,” explained Kumar. If merchants fail to protect their customers’ payment card information, those customers are unlikely to trust them for a future purchase.   

Businesses struggle to comply with PCI DSS 

Despite its undeniable importance, many businesses struggle to fully comply with PCI DSS. Simply put, compliance is often easier said than done. Rather than just a one-time technology investment, PCI compliance requires the participation of multiple areas throughout an organization. It involves process, personnel, technology, encryption and security.

“A company might make large technology investments to become compliant, but because of the ever-changing security threats and upgrades to the standards, it’s hard to keep up. It requires a constant upkeep of systems, personnel and processes,” said Kumar.    

Despite the potential for severe repercussions, compliance sustainability continues to decline as a decreasing percentage of organizations demonstrate the ability to keep a minimum baseline of security controls in place. According to Verizon, fewer than one-third (27.9%) of organizations maintained their required set of PCI data security controls during their 12-month compliance cycle in 2019.   

The pandemic played a role in this decline. The socially distant nature of the COVID environment forced many businesses to pivot quickly to online and mobile commerce channels to interact with customers. In the rush to do so, security was easy to overlook. Ongoing updates to PCI DSS also contribute to the difficulty in becoming and remaining compliant.  

“You’ve got the double whammy of increasingly complex PCI standards… and also merchants being pressured to use payment data in more ways and accept it in more places, and that just compounds the problems of how to keep it secure,” said Apgar.  

How can organizations manage compliance?  

An effective way for organizations to achieve PCI compliance is to outsource it to an experienced partner. “One of the things they can do is outsource… their billing and payment-related needs to fully integrated partners. And the reason I bring up fully integrated partners is because you do not want to compromise on your user experience,” said Kumar.  

Prioritizing compliance does not mean that organizations should risk adding friction to the customer experience. “You do not want to create that extra step for your users to go to some other website or have a very clumsy way of entering the card data,” he added.  

Aliaswire’s DirectBiller solution is level one PCI-DSS compliant. Billers who partner with Aliaswire only have to fill out a shortened form, the PCI self-assessment questionnaire (SAQ)-A form, where they attest that no credit card data traverses the biller’s environment.  

“This can be a great, cost-effective way of accepting payments – having a platform that gives you capabilities like single sign-on and all the integration points so that your user experience is not degraded, while maintaining security and compliance around the PCI data,” explained Kumar.  

Apgar agreed, adding that “it’s pretty clear that best practice for a lot of vertical markets is exactly that: keep the data out of my system and then I don’t have to worry about PCI compliance. And the attestation becomes a rubber stamp because when [regulators] ask me how I am safeguarding data, the answer is easy. I don’t have any data. I have a partner that specializes in that business that’s doing it for me,” said Apgar.   

What outsourced PCI compliance looks like 

To Kumar, outsourced PCI compliance starts with the right partner. “Find a partner that has the capabilities to provide you with all the integrations you need, so that you do not have to compromise on the user experience. You may already have a portal, or if you want to add payment acceptance capability, your user should be able to single sign-on and make a payment.”

“If you have complex workflows and accept payment or card data, you’ll want to have options for tokenization of the card data. Your partner takes the card data from the customer’s browser to their servers. It doesn’t even go to your server during transition. This allows you to avoid storing or transitioning the card data.”

It’s important to find a partner that can provide all options – whether it’s a quick button that takes your customer to a different website, a single sign-on experience, or a secure tokenization widget that can be embedded into your complex workflow.

PCI compliance partners should also be able to provide compliance reports and conduct independent screenings to give businesses the comfort they need to know they are well taken care of. 

Tags: AliaswireCompliance and RegulationPCI Compliance
0
SHARES
0
VIEWS
Share on FacebookShare on TwitterShare on LinkedIn

    Analyst Coverage, Payments Data, and News Delivered Daily

    Sign up for the PaymentsJournal Newsletter to get exclusive insight and data from Mercator Advisory Group analysts and industry professionals.

    Must Reads

    live shopping, ebay

    Q&A: eBay Exec on Live Shopping and the Future of Payments

    March 24, 2023
    AI and Biometrics in Regulatory Compliance in Finance

    The Importance of AI and Biometrics in Regulatory Compliance in Finance

    March 23, 2023
    Everyone Benefits from the Real-Time Payment Networks  

    Everyone Benefits from the Real-Time Payment Networks  

    March 22, 2023
    commercial payments

    Optimizing Commercial Payments in the Digital Age

    March 21, 2023
    cross-border payments

    Cross-Border Payments: Fighting
    E-Commerce Fraud Using Data

    March 20, 2023
    fraud, ChatGPT-4

    How to Fight Fraud While Still Enabling a Great Online Customer Experience

    March 17, 2023
    RTP

    Financial Institutions Without an RTP Strategy Risk Being Left Behind

    March 16, 2023
    visa chargeback

    New Visa Chargeback Guidelines Will Be a Game Changer

    March 15, 2023

    Linkedin-in Twitter

    Advertise With Us | About Us | Terms of Use | Privacy Policy | Subscribe
    ©2023 PaymentsJournal.com

    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    Menu
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Videos
    • Industry Opinions
    • Recent News
    • Resources
    Menu
    • Industry Opinions
    • Recent News
    • Resources
    • Analysts Coverage
    • Truth In Data
    • Podcasts
    • Industry Opinions
    • Faster Payments
    • News
    • Jobs
    • Events
    No Result
    View All Result