If you’re a SaaS provider considering becoming a credit card Payment Aggregator, or Payment Facilitator (Payfac) as a way to boost your bottom line by providing additional services to users of your application, you’re not alone.

Many SaaS providers are curious about Payfac, but too often companies jump into this role without a full understanding of the regulations and requirements involved in doing so.

Payment card industry compliance is one of the most important — and complicated — criteria to understand if you’re considering becoming a payment aggregator.

The Payment Card Industry Data Security Standard, more commonly referred to as PCI or PCI DSS, is a set of security standards with which all companies that accept, process, or store consumers’ credit card information must comply.

PCI Compliance standards are designed to ensure all companies maintain a secure environment for handling consumers’ credit card information. This requirement often catches a Payfac off guard. By not preparing for and complying with PCI Compliance, you can open yourself up to penalties and possible termination of your card acceptance agreement.

Different levels of compliance based on transactions processed as well as different validation requirements among different credit cards can further complicate the issue of PCI Compliance.  

Furthermore, there are 12 specific requirements for PCI DDS compliance, outlined by the PCI Security Standards Council. Each of the requirements are intended to meet one of the six goals outlined below:

Build and maintain a secure network

1. Install and maintain a firewall configuration to protect cardholder data. This entails creating a firewall configuration and testing it to ensure all sensitive data is protected.
2. Do not use vendor-supplied defaults for system passwords and other security parameters. This means creating and maintaining your own secure passwords and updating them frequently. Never rely on pre-set or existing passwords.

Protect Cardholder Data

3. Protect stored data. This requirement is for SaaS companies that store cardholder data for recurring billing or subscription-based customers. Some companies intentionally do not store data as a means of protecting themselves from liability for identity theft and other breaches. PCI Compliant Payfacs must put a number of virtual safeguards in place, including authorization and authentication steps, to protect the card data of SaaS customers.
4. Encrypt transmission of cardholder data across open, public networks. Encryption is a process that makes card data unreadable and therefore unusable to hackers. Even with encryption in place, however, sensitive authentication data such as PIN numbers and validation codes must not be stored after a credit card is authorized for payment.

Maintain a Vulnerability Management Program

5. Use and regularly update anti-virus software. New malware is developed all of the time. To protect customer data, it’s imperative that anti-virus software be updated frequently. As the Payfac for your SaaS application users, you are responsible for keeping card data safe and documenting your processes for doing so.  
6. Develop and maintain secure systems and applications. To maintain PCI Compliance you’ll need to uncover potential security vulnerabilities before they become an issue. This means regularly and consistently monitoring and updating firewalls and other systems.

Implement Strong Access Control Measures

7. Restrict access to cardholder data by business need-to-know. As a Payfac for your customers, you are responsible for limiting access to cardholder data in order to minimize the potential for breaches. Depending on the size of the businesses for which you’re facilitating payments, this can be a challenge.
8. Assign a unique ID to each person with computer access. You must always follow and enforce best practices when it comes to regularly encrypting and updating passwords (every 30 days), as well as authentication and authorization.
9. Restrict physical access to cardholder data. You should limit and monitor the number of people that can access credit card information for all of the transactions you’re processing on behalf of your customers. This can be particularly challenging if you are dealing with high volumes of transactions as a Payfac.

Regularly Monitor and Test Networks

10. Track and monitor all access to network resources and cardholder data. Monitoring user activity and stored information is instrumental in identifying the cause of a security breach in the event that one should occur. This can be cumbersome for smaller Payfacs, depending on the amount of transactions being processed.
11. Regularly test security systems and processes. If you’re going to become a legitimate and trusted Payfac for your own SaaS customers, you must be able to provide them the peace of mind they seek regarding your ability to constantly safeguard their customers’ credit card data.

Maintain an Information Security Policy

12. Maintain a policy that addresses information security. As a Payfac, PCI Compliance includes creating a policy that specifically outlines all acceptable uses of technology, as well as reviews and annual processes for risk analysis, operational security procedures, and other administrative tasks. These policies should always be at the ready should your SaaS customers request them.

PCI Compliance demands that you meet many technical requirements in place in order to safeguard yourself from the liability of handling sensitive credit card information. Meeting all of these requirements can quickly turn into a logistical nightmare for a Payfac.

If you are looking for an alternative to alleviate the burden of these liabilities, Agile Payments can help. We offer hybrid payment integration solutions to help ease some of these burdens and liabilities. If you’d like to learn more about how we can help your company, contact us today.