All online brokerages who process, transmit or store customer credit cards need to comply with the Payment Card Industry Data Security Standard (PCI DSS, or as its more commonly known PCI compliance), which is a complex and demanding set of requirements for payment data protection.
It is time consuming, costly and risky for online brokers to manage their own PCI compliance. If a broker is holding customers’ credit card details on file, that broker is far more vulnerable to malicious hackers, whereas if the broker has outsourced PCI compliance and there are no credit card details on its system for a hacker to attempt to steal, then risks are greatly reduced. As all the card data is processed and stored by a third-party provider, hackers are far less likely to target the brokers themselves.
Outsourcing PCI compliance to a third-party payment provider has become an attractive option for brokers seeking to minimise the liability of their compliance responsibilities. A key factor in brokers’ decision making has been the overwhelming complexity of PCI compliance. Time spent working on compliance also means time spent away from profitable activities. We estimate that the cost of an assessment and implementation of in-house Level 1 PCI-related work can cost between $500,000 and $1 million per year. Return on investment is why many brokers have begun to look for alternatives.
For an online merchant it is important to reduce the red tape involved with PCI, to minimize risk and to reduce PCI scope (the regulatory protocols regarding the handling of customer card data). If properly done, outsourcing reduces or eliminates PCI scope, and minimizing scope is the simplest way for a broker to achieve PCI compliance.
ACY Securities Supports ASIC’s Product Intervention OrderGo to article >>
Brokers need to choose an outsourcing PCI partner carefully, otherwise they may not achieve the PCI benefits they were intending. If a broker’s outsourcing partner fails to meet PCI standards, that merchant is still responsible for PCI. Brokers need to make sure they are working with a reputable PCI outsourcing provider which is properly certified and uses the latest technology. Some companies claiming to offer PCI de-scoping (outsourcing) fail to indemnify the merchant against all PCI risk, and often leave customer credit cards’ records touching some of the merchant’s servers, so in effect the merchant is only partially covered. Ideally, a merchant needs to take all its IT infrastructure out of PCI scope, as any part of the merchant’s IT system which processes, stores or transmits cardholder data comes under PCI regulations. Another important consideration is the high availability of the service (users will not be able to get service whilst an outsourcer’s service is not available).
This is the responsibility shift. A well-equipped outsourcing partner will handle transmission of data from end users to servers, and process all payments which includes encryption, decryption, BIN analysis, validation and etc., all on a merchant’s behalf. To protect the data, a competent outsourcer will use various mechanisms. One such mechanism is a robust risk management platform that uses fraud algorithms and a huge negative database built over many years.
Another way in which an outsource provider can remove a merchant from PCI scope is by the use of tokenization, whereby a customer’s card details (the primary account number – PAN) are replaced by a token that has no exploitable meaning or value and takes the place of the card details. With tokenization, if a hacker were to gain entry to the merchant’s system all he/she would get would be the token which is going to be of no use as the hacker has no means of de-tokenizing.
With an expert partner, outsourcing can easily lead to increased payment conversion, repeat user retention, increased productivity and security. It leaves the broker doing what the broker does best, doing business with customers!