When you think about growing your business, improving data security probably isn’t at the top of your list—and that’s understandable. After all, the topic of security doesn’t sound as exciting as that latest Instagram hack and isn’t as immediately impactful as a new sales tactic.
However, the last thing you want to do is neglect data security. Having a secure platform for managing customer and payment data is paramount to building and maintaining trust, and you can’t do that with poor systems and practices.
In our latest webinar, Garrek Harris, Director of Platform Management at Stax, discussed the ins and outs of data security for merchants and ISVs. We talked about PCI compliance (and beyond) and what organizations can do to stay on top of all things data security.
TL;DR
- Data security and PCI compliance are critical for growth. They build trust with customers and protect you from liability so you can continue to invest in your business.
- When data breaches occur, fees and liabilities are passed down from processors to acquirers and ultimately to ISVs and merchants.
- Choosing the right payment partner with a solid security track record is crucial for enhancing data security and complying with PCI DSS standards.
What is PCI compliance?
Short for Payment Card Industry Data Security Standard, PCI DSS ensures the safe handling of sensitive payment information. It establishes safeguards for credit cards and other payment data and is designed to protect consumers and merchants from breaches and fraud.
Garrek says it best: “PCI compliance is a series of requirements put forth by the card brands that every merchant who wants to accept credit cards has to adhere to. And if they do not adhere to it, there are various penalties.”
The importance of PCI compliance
PCI DSS applies to any organization—small businesses, payment processors, payment gateways, ISOs, PayFacs, and more.
In short, everybody involved in the chain of credit card processing has a responsibility to safeguard credit information. Whether you’re taking credit card numbers, account names, dates, etc., maintaining strict adherence to PCI DSS guidelines is a must.
Now, the specific steps to implementing PCI compliance vary depending on where and how customer data flows your way.
PCI compliance for merchants
If you’re a merchant or sub-merchant, PCI compliance is all about securing the point of transaction and ensuring proper data storage practices.
Garrek points out, “From a merchant standpoint, PCI compliance revolves around the concept of ‘I’m taking this transaction. Perhaps I’m storing it in a CRM, or (though let’s hope not) we’re storing it on paper somewhere in the office. How are we taking that information?”
In other words, for merchants, PCI compliance mostly takes place at the point of sale or data storage—i.e., the CRM or ISV software.
PCI compliance for ISVs
Now, if you’re an ISV, your PCI compliance measures will be more centered around safeguarding software environments and facilitating the safe transfer of data.
“It’s the same principle from an ISV perspective, except they’re a little further down the chain,” explains Garrek.
According to him, ISVs would be asking questions like:
- How will I manage and transfer that data?
- Is my ecosystem locked?
- Are my pipelines solid so that data travels smoothly and security?
- Is the data tokenized appropriately?
Ultimately, Garrek says that ISVs must prioritize creating and maintaining a secure software environment that meets all the PCI DSS standards. Doing so ensures data remains protected at every point in the payment processing journey.
How PCI compliance affects business growth
Trust is foundational to any business. This is especially true when you handle financial transactions—be it credit cards, debit, ACH, or any other form of payment.
Your customers trust your business to manage and protect their payment information. When people trust you, they’ll stay with your company, which means you’ll be better positioned to grow.
Conversely, low-trust organizations are less likely to retain customers (let alone acquire new ones). Nothing breaks trust more than a data breach, so ensuring the highest level of data security is not just a regulatory requirement; it’s a critical growth factor.
Research shows that 60% of consumers would avoid doing business with a company if it had experienced a recent data breach.
This shows just how important data security is. Breaches compromise your reputation and bottom line, but more importantly, they can seriously harm the people you serve.
What happens in the event of a breach?
Speaking of which, when data breaches occur, fees and liabilities are passed down from processors to acquirers and ultimately to ISVs and merchants. Garrek likens it to “a game of rolling downhill.”
“In the event of the breach, the card brands will levy those fees to the highest level available first. So those are going to come in at the processor level. The processor, assuming that there’s an acquirer involved and they aren’t acting as the acquirer, will roll those fees down to the acquirer.”
He continues, “Assuming that an ISO or an ISV is involved, they’re going to roll those fees to the ISV level. And then that ISV will then have to subrogate that against the merchant.”
And here’s the rub: the average cost of a data breach is about $35,000. The sad part is that when impacted by a breach, about 60% of small businesses have to declare bankruptcy or close their doors.
As such, it’s critical for businesses to prioritize robust security measures. A big part of that lies in the payment partners you decide to work with.
What to look for in a payments partner to ensure PCI compliance
Regardless of whether you’re a merchant or ISV, having the right payments partner is critical. When you’re searching for a payments partner or processor, be sure to ask questions like:
- What kind of coverage exists for ISVs and merchants?
- Does the provider own a platform allowing ISVs and merchants to become PCI compliant?
- Do they have any kind of breach insurance that would apply to merchants or ISVs?
Garrek emphasizes that not all payment processors and platforms are created equal. For instance, some providers might not enforce strict compliance checks like certifications or scans, but this only minimizes their responsibility, not that of the individual merchants.
That’s why it’s critical for ISVs and merchants alike to confirm compliance responsibilities in writing and understand the extent of coverage and support provided by the payments company.
Don’t just look for a provider; look for a payments partner
Garrek’s advice? Set your sights on companies that offer a true partnership. This is particularly true if you’re an ISV.
Stax Connect, for example, focuses on tightly aligning with ISVs to enhance their business growth through scalable and comprehensive support tools.
“We pursue a partnership where we help an ISV grow, which in turn helps us grow. It’s a true partnership that’s meant to be scalable using in-house solutions, from CRMs to portfolio management to PCI tools. And that partnership is designed to create a very solid book of business that is mature and maturing over the years, with low attrition rates and deep relational ties.”
Final Words
For businesses looking to grow and thrive, nailing data security and PCI compliance is a must. It’s incredibly important to keep up with industry updates, follow best practices, and choose the right partners who prioritize security as much as you do.
We hope you found this webinar recap useful! Be sure to catch the full discussion on demand here.
Request Quote