Data Breaches and the Importance of PCI Compliance

cybercrime, hacking and technology- hands of hacker
An Integration to Payscout’s Paywire Gateway Can Significantly Reduce Your Risk of PCI Non-Compliance

American Medical Collection Agency (AMCA), a 3rd-party healthcare debt collection firm servicing 7.7 million consumers, recently experienced a massive data breach, exposing consumers’ personal data and payment information. AMCA subsequently filed for bankruptcy, as a result of fall out from the data breach. This event is a stark reminder of how crucial it is to abide by PCI compliance requirements and to understand if your software partners and providers are compliant. 

Payscout is a PCI Level 1 and PA-DSS certified Service Provider, and we have recently been reviewing our new and existing technology partnerships to ensure that our mutual customers are fully protected. We have integration solutions that, as our partner, can reduce your PCI scope, regardless of whether you offer an online application (PCI DSS requirement) or a distributed application (PA DSS requirement). 

Definition of PCI Scope

PCI Scope is established by the presence of a credit card number (PAN). If the PAN is ever transmitted, processed, or stored by your software, then it is a payment industry requirement to comply with PCI DSS and complete a rigorous compliance validation facilitated by an authorized QSA (Qualified Security Assessor) Company. Organizations that do not comply with PCI DSS face potentially serious consequences, which can include the following:

  • Increased transaction fees
  • Fines from the acquiring bank and/or card brands
  • Responsibility for fraud loss in the event of a breach or other security incident
  • Loss of ability to accept credit cards as a form of tender
  • Reputational damage in the event of a breach
  • Inability to claim safe harbor should a serious security incident impact cardholder data security

The Costs to be PCI Compliant

For a Software Company to become a PCI Compliant Service Provider, in addition to rigorous and time consuming annual audits, typical costs for QSA audits are as follows:

  • PCI DSS $25k+ Annually
  • PA DSS $30k+ every 3 Years + PCI DSS Annual Cost

In the event of a breach, the cost to resolve a security incident is $7 – $15 per credit card number. These costs could rise to $70k – $150k for 10,000 credit card numbers. Many software vendors and merchants have the potential to impact the security of many more than 10,000 card numbers, and so fraud loss could be astronomical. Following AMCA’s data breach, AMCA’s largest clients immediately terminated their relationships, further impacting AMCA’s ability to bear these expenses and consequently rendering them bankrupt. These consequences not only affect the software company, but additionally put all customers using the software at risk. 

We can work with you to identify the best solution for your situation, based on your type of application and how it is distributed. In addition, we work with a QSA who can attest to your out of scope status and provide a letter certifying that status for your customer’s compliance audits.

 Does Your Business Fall Within the Scope of PCI Compliance Requirements?

There are many layers to PCI Compliance requirements. If you facilitate electronic payments within your software application, how you capture card details (card number, expiration date, and CVV) could put you in the scope of PCI Compliance. 

According to current PCI Requirements, here’s how it works: 

  • If you capture payment card information directly within input fields in your application for transmission to a payment gateway via an API, you are in PCI Scope
  • If you capture payment card information using a payment gateway’s hosted payment page, presented in either an iFrame or Modal window (Popup, Lightbox, etc), you are out of PCI Scope
  • If you capture payment card information as a full redirect to a payment gateway’s hosted payment page, you are out of PCI Scope
  • If you capture payment card information via some other method, requirements will vary. 

How is your Product/ Software deployed?

  • If your Product/ Software is deployed online as a Web Application, you are required to comply with PCI DSS requirements
  • If your Product/ Software is distributed within a Client’s network (via either Desktop or Web Applications), you are required to comply with both PCI DSS and PA DSS requirements 

Interested in learning more? Payscout’s Fran Fisher will be discussing PCI Compliance Scope in further detail at Ontario Systems’ 2019 PowerUp Conference.

Wondering if your Business falls within PCI Scope? Contact sales@payscout.com so we can help you find out.

Expand Your Nonprofit’s Mission with Mobile Payment Processing

Online Donations through Pyascout's mobile payment processing

If you own or work for a nonprofit organization, give an impetus to your organization’s growth and mission by embracing technology. Mobile payment processing for one, has the potential to boost online and reoccurring donations, driving your mission further.

Paying online and via mobile are quickly becoming the preferred method of payment for Americans; this is especially true for millennials. As a nonprofit organization, millennials should be among your most targeted groups. Millennials are disrupting traditional giving; while they frequently give (even more so than other generations), they expect certain things before deciding to part with their funds.

Online giving, for example, is an area that millennials are shaping. In 2016, overall giving grew a measly one percent, but online donations (according to Blackbaud’s annual giving report) grew nearly eight percent in one year. The influence of the millennial generation is becoming, and will continue to become, a necessary resource for the nonprofit community. By embracing mobile payment processing technology, you open your organization to great opportunities, such as:

1. Enable online donations

By offering donors the opportunity to donate online, they are more likely to complete the donation process completely. Donors that give online or via mobile are also more likely to give recurring donations to organizations they favor. Having an online forum will also reduce the amount you spend on marketing materials, as there will be no need to send donation cards and reminder cards when they can simply donate online.

2. Increased donation amounts

People spend differently on credit cards than they do with money in their wallet. They are more apt to be generous (especially in cases where there is a return, i.e. credit card air miles). A properly crafted online giving forum could leave you with higher donation amounts for your mission.

3. Sell tickets

If you have a special event or yearly fundraiser that you encourage donors to attend, selling tickets online will save you time and money. Again, people are more likely to purchase online than they are in person. Non-profit payment processing technology will make filing your 1099 and special event accounting much easier as you’ll be using an easy, trackable system.

4. Merchandise opportunity

Donors are passionate about the causes they care about, and most will happily showcase that support. If your donation platform subsists online, you can give donors the opportunity to further support your organization with branded merchandise that provides you with free awareness of your nonprofit.

5. Heightened security

Standards known as PCI Compliance are now required annually by all organizations involved in the handling, processing, management or storage or cardholder data. Since 2006, the PCI SSC’s resulting data security standards (PCI DSS) have assisted merchants globally with best business practices to better secure customer cardholder data through annual updates to the PCI DSS.

With each new iteration of the standards, the PCI SSC addresses changes in risks and technologies to ensure merchants are well equipped to handle all scenarios around data security risks that may affect them. This means that your donors and information will be protected with a PCI-compliant payment processing company.

About Payscout

Payscout is a global payment processing provider covering six continents and connecting merchants and consumers via credit, debit, ATM, and alternative payment networks. They are experienced in assisting the nonprofit community. Payscout makes it easy to simplify and manage payment processing so you can quickly put donations to work at your organization.  Payscout will streamline the donation process for you whether you accept donations online, onsite, or via mobile. They can even keep your utilities on track with utility payment processing.

Discover how to mobilize your donations at www.payscout.com

 

 

Payscout Leads Compliance Talks at ACA International Convention

Payscout hosted an interactive panel, “Payment Compliance Outlook and Why It Matters to Collection Agencies,” at the ACA International Annual Convention and Expo.ACA Convention, the largest event for the credit and collections industry, provides an opportunity for attendees to learn from experts whose innovative ideas keep professionals ahead of a shifting regulatory environment, informed of emerging legal trends, as well as uncovering emerging trends and best practices with industry leaders.

 

The panel was moderated by Payscout Strategic Sales and Business Development Manager – ARM, Fran Fisher, who appeared alongside Edward Marshall, Chair – Business and Litigation Payment Systems Practice at Arnall Golden Gregory, LLP; Brian Riley, Director of Credit Advisory Service at Mercator Advisory Group; and Giles Witherspoon-Boyd, President and CEO at Protocol Enterprises.

 

Together, the group provided an outlook for payment compliance issues and regulatory changes expected under the new administration. Focus was placed on how regulations such as PCI DSS and Reg E – and changes to them – impacted collection agencies and other ARM companies. The panelists explained why it is important for organizers to pay attention, under the watchful eye of the CFPB, which oversees the payments industry.

 

The interactive session was one highlight of Payscout’s involvement in the ACA Expo. Payscout returned as a prominent exhibitor at the Convention and treated attendees to a new virtual reality (VR) experience highlighting the company’s thought-leading solutions and Award-Winning culture.

 

Payscout has been actively serving the accounts receivable management (ARM) industry for over a decade. The company built its reputation by providing unparalleled customer service and offering legitimate merchant accounts to collection agencies through reliable and highly sustainable acquiring banks. Payscout’s vision is to become the thought-leading and fastest-growing global payment processing provider in the world

 

Topics: ARM