Credit Cards as Payment
By Erica Olobri, Director, Assurance Services
Penalties are not openly discussed nor widely publicized but the payment brands may fine an acquiring bank $5,000 to $100,000 per month for Payment Card Industry (PCI) compliance violations. These banks will pass this fine to the merchant/service provider and will terminate their relations or increase transaction fees. These penalties are related to more substantial data breaches.
To start this off, let’s discuss the benefits of accepting credit cards as a form of payment then we will review the risks. The benefits include:
- An increased revenue stream
- Staying competitive
- Reduced collection
- Helps reduce the time needed to send staff to bank for deposits
On the other hand, there are increased risks with this form of payment which include but not limited to the following:
- Risk of fraud – internally and externally
- Additional bookkeeping expenses
- Staying updated with PCI Security Standards
- Data breaches
Now that we know some of the benefits and risks associated with adding credit cards as a form of payment at the organization, we can proceed with things we can do to mitigate or eliminate the risk.
Establish Credit Card Policies
- First thing is first, the organization has to establish a policy as to how this form of payment will be processed. In this policy, the organization should address how the credit card information will be stored within the organization, what type of security the organization has to protect themselves and who at the organization has access to the card information.
Establish Human Resource Testing that is Required for Personnel with Access to Information
- Once you identify the positions that will have access to card information, these employees should have required background checks upon hire and also annual or bi-annual credit checks.
Credit Card Storage
- Customer credit card information should not be stored in-house. This exposes the organization to unneeded risk. If customer information gets exposed, the organization could face legal issues and additional expenses to resolve the issue. Organizations should use an outside company or a token system.
- The best way to store credit card data for recurring billing is by utilizing a third party credit card vault and tokenization provider. By utilizing a vault, the card data is removed from the company’s possession and the company receives a “token” that can be used for the purpose of recurring billing. By using a third party, the company moves the risk of storing card data to someone who specializes in doing that and has all of the security controls in place to keep the card data safe.
- If the organization is processing and storing credit cards, the need for a self-assessment is very high and you may need to have a Qualified Security Assessor come onsite and perform an audit to ensure that you have all of the controls in place necessary to meet the PCI DSS specifications.
Based on all the risks noted above, it appears that accepting credit cards would be a risky way to do business. In reality, most organizations accept credit cards a form of payment because approximately 80% of consumers are using these to make purchases. The good thing is that there are ways to protect your organization from the risks of accepting credit cards as the form of payment. Having strong policies over this payment type, having human resource policies that identify certain personnel that will have access to this information be screened, knowing what risk storing the customer information in-house presents to you, using a token system and also ensuring any changes that you make internally are in compliance with the PCI Standards.