Payments Compliance and Monitoring: Simplified
What is payments compliance?
The pandemic years accelerated the growth of global e-commerce, catapulting the industry to over 26 million individual merchants doing business every day online. Each of them has a duty to provide a safe experience for their customers and a secure environment for their partners. This is what payments compliance is: protecting every participant in the payment ecosystem - from customer to gateway to card network to banks - from fraud and risk.
But unlike other business imperatives, payments require more than good intentions and well-designed business processes. There are a range of stringent regulations and operating standards everyone is required to follow, from PCI-DSS for data protection; to Know Your Customer (KYC) to avoid accidentally providing services to persona non grata; to Anti-Money Laundering (AML) rules to prevent criminals from using an unsuspecting merchant in their nefarious activities.
Why is payments compliance such a big deal?
Beyond the basic reality that customers expect and require that merchants with whom they do business operate in a way that is safe and secure, the implications when criminals and hackers make their way into an environment maliciously can be truly brutal. In 2022, IBM estimated that the average cost of a data breach in the United States was over $9.4M, against a global average of around $4.35M. While this does take into account some truly enormous events - a break-in at Epsilon was estimated to cost the organization some $4 billion dollars - even smaller merchants find that the financial implications of getting hacked can be anywhere from substantial to existential.
When a breach occurs, a merchant has not only let down their customer, they have also potentially created an attack vector into the connected layers of the payments ecosystem - and their partners tend to react negatively. Payment gateways may raise rates, insist on holding reserves from incoming payments, or even suspend or sever their contractual relationship. Card networks may impose large fines, require expensive auditing of security processes, or, again, decline to allow the merchant to continue transacting business.
With so many partners downstream, and with such weighty implications at play, getting payments compliance right is fundamental for all merchants.
Key elements of payments compliance
There are three core aspects of payments compliance that every merchant must have a strong - not to mention documented and stress-tested - plan to meet:
- Know Your Customer (KYC) compliance. This is the first step of protecting the payment ecosystem: ensuring everyone you do business with is who they say they are. In practical terms for merchants this means checking details like addresses and CVV codes to ensure that customers are using their own, valid, credit cards. When credit card details cannot be matched to the other information a customer provides, merchants must be prepared to decline the business.
- Anti-Money Laundering (AML) compliance. Online merchants must be on the alert to ensure that they do not become the unwitting dupes of those who are seeking to move money around the world for criminal, or even terrorist, purposes. Merchants should be prepared to limit the size of transactions, to check IP addresses against the customer information provided, and use automation to identify suspicious patterns of, for instance, purchases in one country that are set to be delivered to someone in another.
- PCI-DSS compliance. This is the both the most comprehensive, and least-loved, set of data protection standards in business today. The PCI-DSS standard establishes the right ways to project data in-motion and at-rest, and provides a standardized approach for merchants to test and demonstrate the effectiveness of their compliance. The requirements get more onerous - and expensive! - as the number of annual transactions increases.
Key ways to maintain payment compliance, affordably
One of the key attack targets for criminals is personally identifiable information (PII) stored in insufficiently well-secured databases. Merchants invest heavily in systems to protect their stored information - from firewalls to encryption - and every year hackers find a way to break their way in, and to use decryption software to extract the original PII value from the encrypted data they lift.
A key way to take this risk off the table is to use a third-party tokenization provider, that stores the information in a fully secure token vault and provides the merchant with an undecryptable token to use. The merchant then uses that token to instruct the token vault to submit payment information to their choice of payment processors and gateways, without ever bringing the PII into their own environment. Not only does this drastically reduce the risk of a data breach, it strongly reduces the cost of PCI-DSS compliance: when the PII simply isn’t present in a system, the processes needed to manage it are way simpler.