All About PCI | Episode 26
PCI compliance is universal. Whether you’re doing business in Australia, where we find ourselves in this episode, or anywhere else in the world, protecting your data, your customers’ data, and their customers’ data is essential for making Embedded Payments a success.
Despite the importance of the Payment Card Industry Data Security Standard (PCI DSS), it’s often a confusing topic for many businesses. So our host Bob Butler recently sat down with our expert down under, Zac Lutton, Head of Fraud and Risk for Payrix Australia, to help dispel some of the misconceptions and answer some common questions.
According to Zac, the key to PCI compliance is understanding your obligation in the payment chain to create a safe environment for data. Protecting payments is a joint effort between a payment provider and a software company. “Any payment provider can only protect data and information once it is passed on to them, and you, as the software partner, need to have provisions in your environment to protect yourself on the journey in passing that information.”
That’s why he urges companies who want to add payments to their software offering, to educate themselves about PCI requirements and hire experts internally or work with trusted partners. “What PCI does is give you best practices on how to protect yourself and help identify areas of weaknesses. PCI gives you the ability to create internal policies that help you through the importance of taking payments and identifying best-practice mechanisms to safeguard your whole entire environment.”
He says PCI is not an insurance policy, but it has to be a priority for companies to build a strong security foundation and ensure safe and secure payment processing. “Don’t think you are exempt from fraudsters wanting your data or you won’t be a target. Everyone is a target today.”
With that in mind, the safe thing to do is have a listen.
Hi everyone, welcome to the PayFAQ Embedded Payments podcast brought to you by Payrix. I’m your host Bob Butler and today I’m going to be speaking with Zac Lutton, Head of Risk and Fraud and we’re gonna be talking all about PCI. So hey, Zac. Welcome to the show!
Great to be here, Bob. Love being back.
I actually love having you back and I know you’ve been here before, but just as a reminder can you tell the audience a little bit about yourself and your software and payments background.
Certainly Bob. Again, thank you for inviting me back on the show to talk about PCI and my name is Zac Lutton. My role at Payrix Australia is Head of Fraud and Risk which has many components of security awareness but essentially the goal of my role is to stop fraudulent attacks, unwanted intrusions and doing our part to protect the world from criminal activity. The full Batman and Superman gig. Safeguarding our partners is critical to our success and our partner’s success. And every opportunity to help remove fraudulent behavior and educate is a win for us all in the industry. I’ve been managing payments for a long time now, since 2000, for all the major financial institutions and managed all aspects of payments processing, payment coding, issuing, and acquiring. I’ve built my entire career on protecting payments for all industries and the security and compliance of that payment is what drives me every day in fighting the good fight against intruders and to ensure the consumer is protected in every interaction of that payment journey with the latest technology at hand and making it a seamless and fast payment journey for everybody. The payment software utilized here in Australia through Payrix has been developed in-house and it’s a world-class payments engine that is nimble and dynamic.
This allows our partners to integrate into a safe and secure environment that gives all partners in our payment channel the capability to process any type of payment required by our clients. The great part of our platform offering is that payment processing is just one component of the many accessible benefits that can be utilized to help your business understand the value of doing payments here with Payrix in Australia. Having the functionality to generate reporting, reconciling, set schedules. You know we’ve got flexible rest API integration. We connect to many third-party account packages such as Zero to give the merchant and the partner the flexibility around payments. We give the partner and client full control through the whole journey with us. The best part for myself and the risk team is proprietary built fraud tools and monitoring that assures we can assist in mitigating any fraudulent attempts on our platform with a qualified team watching fraudsters and their movements hopefully twenty-four/seven every day of the week.
Now that sounds great, I mean Zac. I would love to hear you know what interests you about this thing called PCI. It can be considered a confusing or shall I say, now that I’m down here in Australia, a dry topic. How do you make it relatable for fast-paced growing software companies and their merchants and first of all, what is PCI DSS?
Yeah, we love a good acronym so look let me break it down straight away for you Bob and the audience so everyone doesn’t have to go off and have a quick Google. Stands for Payment Card Industry Data Security Standard and essentially, it’s a step-by-step guide of 12 requirements and 6 principles to follow to show businesses who need to be PCI compliant how become compliant and follow a universal program of security. The simplest explanation and the way I like to explain it, and yeah I’ve heard it many times, is you’re protecting cardholder information safely and securely. And that’s just a nice easy way to remember it. It’s anything on your debit card or credit card that you hold, we like to protect, and we need to protect. So look you’re talking about it’s a little bit dry and confusing. So, if you are confused, I need to tell everyone, get up to speed. If you think it’s dry, get thirsty. If you don’t make PCI a priority number 1 in your business right now, get yourself and your business educated on PCI requirements and principles. If you don’t switch gears and get to know PCI management now, you are putting your entire business and everyone you are connected to in a position of compromise, which in turn can easily wipe out so many organizations.
Taking payments is not just a pickup and play exercise at office works, and my biggest heartfelt plea to every software partner is, don’t think you are exempt from fraudsters wanting your data or you won’t be a target. Everyone is a target today, and we need to get thirsty and passionate about PCI yesterday.
Hopefully that’s got you excited there Bob about PCI DSS acronym. Ah, let me take you through some other thoughts here about PCI and while I believe it’s such a great topic to understand and that we all should be heavily invested in.
Number 1, do not let anyone control your environment. You know? You lock your house door when you leave for the morning, you lock up that Victor mower in your shed that you spent thousand dollars on, you put your cash and all those diamonds in a vault in a bank, then why wouldn’t all the data you collect and use about your customers in an online environment not also be stored and encrypted and in a safe and secure way as you have locked up your other worldly possessions. PCI for me is keeping what I love safe and secure, which in my world, is data and ensuring the partners I do business with have the knowledge and trust that I’m protecting their sensitive information when they do business with me. As you mentioned earlier, the easiest way to think about PCI is card security in a safe environment. We’re protecting that data that you store in your wallet in an online environment. So, the information you request from a card holder or give another party capability to access is considered high priority protection and you must adhere to the PCI Security Council policies to. That’s just understand your obligations in the payment chain. You know there are 12 key requirements to adhere to and all 12 requirements about identifying the part you play in the payment chain and your obligations in protecting data. The 12 requirements all relate back into 6 key principles. And look, you know we’re all professionals in our current day-to-day business and we’re probably already doing most of those parts in your business today and so PCI requirements shouldn’t be a huge uplift for you to get in front of. Payrix engage with software companies to integrate payment solutions into their software which offers a complete integration that provides the ability to close the journey loop for their customers. Software companies and merchants do need to know these intricacies of payments, but need to importantly understand their own security principles should apply when adopting a payment integration. Let’s say I’m a real estate software partner in this example. That real estate partner engages with real estates to sell their real estate software. Their value proposition when they go out to market for their software is already heavily weighted on security, privacy, reliability, and safety. Now if you want to do payments inside your real estate software, you need to ensure you apply the same principles of security, privacy reliability, and safety.
Payrix offers you solutions to integrate, encrypt, and protect at the highest PCI levels to offer maximum protection. But what we don’t do is manage your overall environment. What Payrix or your payments provider will help arm you with is knowledge about PCI, why PCI is important, and why it is important to your business to uphold PCI security standards. Any payment provider can only protect data and information once it is passed on to us, and you as the software partner need to have provisions in your environment to protect yourself on the journey in passing that information.
Now Bob, today you gave me a great analogy to work on for PCI the other day. So hopefully this example will resonate with you and our listeners. So, when you said how strict Australia is to get into the country and all our work provisions, now let’s picture the rest of the world and the software partner wanting payments and Australia is your payments provider. Australia has all the regulations to keep us safe and protected with these 12 requirements and 6 principles to make that happen. So, when you come marching through customs, we apply our principles to make sure Australia is safe, but everything leading up to that moment of Bob packing his bag, Bob locking his front door, is all on you Bob. I can’t control what Bob does before he gets to customs. I can only control our principles. So, Bob I need you to know the 12 requirements and principles before you come to Australia so you can be prepared and secure through the entire journey from locking your door to getting through to customers. So that’s you know when you see on those Tv shows. That’s why customs always ask you has anyone touched your bag or helped you pack. Think about your own network now and ask the same questions about – Who has access, who has control and security around your current infrastructure, and will you know the answers when the questions are asked. Ensure you can always answer that question. How are you protecting yourself, so you don’t get caught at customs. At any stage many influencing factors could make you lose sight of your bag before you pass it off to Payrix environment. If you have PCI and understanding this will help you identify those possible influences, threats, and gives you best practice guidance so you don’t lose sight when you pass your data to Payrix. Intruders are sophisticated and are looking for any weakness in your security environment to obtain data or manipulate data for the purposes of either monitoring, gain, or disruption. Following our PCI plan and partnering with sophisticated payment partners enables you to understand or find intrusions early and put in place remediation before an attack becomes an intrusion that you can’t quickly unwind. Just so we’re still following my thought pattern here and I hope we still are and Bob you’re still with us, we’re talking data security and protection for your customers cardholder data and we’re not working on solutions for Bob to pass border control.
Please seek expert advice and understand the landscape you’re playing in so you don’t end up a statistics somewhere, as having no controls over your platform will have dire consequences if not playing correctly.
Zac, I love the analogy and it makes a lot of sense since I just recently came into Australia and I’d never really thought of PCI in that fashion. That it’s about you can control some environments which is what the payment processor does but everything before that they don’t control. So, I loved the example.
But let’s switch over to PCI documentation. You know it’s incredibly detailed and sometimes it can seem overwhelming for a software company. What’s the easiest starting point when it comes to digging into that PCI documentation?
Yeah, I love that when you say overwhelming and that’s probably a good segue into this into this section because a lot of people I do talk to when I go to different conferences or out to different software partners to engage with is how much detail there is in PCI. And what you need to do like any business infrastructure is really break it down to its core. Sometimes I start with the fear mechanism here Bob, to say about all the breaches and fines, but I won’t go there today and usually I love to tell people just give me a call and I can work through it.
But my first recommendation is probably a little bit different to most people as everyone will always say you know fill out an SAQ. And what an a SAQ? It is a self-assessment questionnaire to understand your own infrastructure and that should tell you everything you need to know but doing a SAQ. It can be great straight up. If you’re ready to dive in it, it shouldn’t steer you wrong, but what I really believe is important is to have the right discussions in your business about what you are wanting to achieve when adding payment software and why it is important to your business that you develop or enhance your capabilities with payments. Because most software, they don’t have payments so they’re bringing a whole new infrastructure into their ecosystem. So it’s crucial to have that early question about what are we wanting to do. So the question is you want to do payments. Yes. We understand that now. That’s great, but do you know your own system capabilities and do you know if you have the right security and protection around your current environment before you start introducing a payment connection.
Now another analogy? You don’t go building an outback barbecue deck onto your 1800s Queenslander house or out there on your Texan Ranch, you’re building a wraparound on your house if the house is currently falling down, and the foundations are questionable. You know when you partner with Payrix it really is about partnering with the right business for the right purposes and help you identify the requirements to integrate securely to ensure your environment or deck is well protected now and into the future now. We want to make sure we’re thinking future for your payments and your software. So if you’re connecting to the Payrix platform they want to ensure we’re protected together which is very important to understand we’re in this together. You want to be on that barbecue party deck or that lovely wraparound ranch looking at those stallions to make sure you know we’re having fun together and we’re protected safely and securely and know well in advance if there’s any weaknesses or possible intrusion points that we can remediate.
So, once you understand your environment and why you want to monetize payments in your environment, the next important step is having the right people engaged in your business to understand the need for PCI and have the capabilities to integrate with payments. I’ve seen countless software weaknesses and incomplete programs as businesses engage the wrong skillset internally which will only place the business in contention for breaches and fines. Your business must develop a sustainable security and compliance program to show its effectiveness on an ongoing basis, which is a critical component of the 6 principles that we’ve mentioned. So now we’ve gone through this. We have the right internal people. Check. That’s what I usually say give us a call and let us talk to you about your payment needs and help you to start your journey about PCI. And at this stage it’s important to start to review those key 12 requirements and 6 principles and how you fit into this process. This is when we can start the conversation about why we all play a pivotal part in the transaction lifecycle and why we all have obligations under PCI.
Again, love your analogies, makes complete sense. So really appreciate that. Zac, do you recommend that if a software company is embedding payments or integrating payments, do they hire someone to handle PCI or perhaps lean into their payments partner or Payrix, whoever it might be, or would they do both?
Yeah, look first of all, it’s a great discussion topic to have those upfront, honest conversations within your business. You need to internally understand what your current business infrastructure looks like and what capabilities you do have. PCI is not a tick and flick exercise and requires you to review in detail your entire infrastructure to understand all your requirements. In my experience, if you’re wanting to monetize any component of your business, be that payments or other bits of software, plug-in place that you offer your customers, then you should invest in experts that understand the payment infrastructure or internally have the skill sets to understand the importance of offering payments and how you ensure your company is safe from attack. I have seen too many times internally, staff members putting their hands up saying, yeah I can do it it’s easy, but please ensure that you understand their skill set and that they understand their remit when they’re connecting to a payments company and offering PCI safety.
Let’s get into a little bit of regulatory stuff offering payments. There’s so much regulation and legislation and Payrix, we take on that heavy lifting and that’s important for you to know that we are bound by many regulators in the industry. So just to rattle off a few you know we have the ATO – the Australian tax office, we have the Australian security being Asik, we have the OAIC being all the privacy legislation Austrac, that records all the transaction reports and analysis, and also the schemes you know Mastercard, Visa, Amex, JCP Benny, Diners Cards. Now I mention all these regulations not to concern you about them, but to inform you that there is a lot of regulations in play to process a payment. And there are heavy penalties for non-compliance. PCI regulations sits on par with these heavily regulated bodies, and we need to ensure that we abide by these security parameters that are set out by PCI council to ensure consumer security and privacy is protected. And you avoid any possible security and breach that holds heavily weighted penalties. And you know we’ve seen out there, in the Australian landscape, but also everywhere internationally, there are huge fines for non-compliance of keeping data private or fraudsters getting inside networks and systems and using that data on the open market.
Now, these are just some of what I discussed the Australian regulators, but each country has their own similar global regulations and tweaks on those regulations and requirements and that’s why it’s imperative to know that where you are doing your payments and who can help navigate those regulators. The great thing with PCI though is it’s universal and all requirements translate to all countries. So get back to answering bit of your question there Bob, seek expertise in payments early by talking to your payments partner. You know it doesn’t cost to ring your payments partner and have a chat to them. Speak to a PCI expert which your payments partner should be able to offer you, and then you should have some clear understanding on your next steps and more importantly, which self-assessment questionnaire that you need to complete and review. Once you have your completed and your SAW and understand your PCI scope, then you’ll understand what your environment may need and what personnel will help you deliver and monetize it solution that is PCI compliant and most importantly, a safer payment.
That sounds really interesting Zac, but I’m a software company – what is the biggest misconception that a software company even has about PCI?
You know I love talking about this topic Bob, and misconceptions, that there are so many and there are so many blind spots when you talk to software companies because they’re focused on their software and what they do great at. And then for them to go into monetizing payments is sometimes they feel like it’s just a plug and play and the forget component into their software. The first thing I go out say is, I’m not your software security company and I don’t have access and control over your company. I would love full access, that would be fantastic so I can see any future fraudsters, but the reality is you control you and we control our environment. What that means is, we have all our responsibilities under PCI obligations and that’s because there is multiple ways to integrate your payments with your partner and your partner is unable to control your infrastructure before you send a payment message to us. So, what the misconception is about is when connecting to a level one PCI processor, what that really means is there are scenarios when a man in the middle attack can happen and redirect your customer to a payment page. That is not controlled by your payments partner. That having a regular pen test and security check from a PCI vendor helps you identify those possible intrusions or weak points within your network and help you remediate these concerns quickly. The old saying is you know we don’t know what we don’t know so you need to protect your environment and ensure that there’s no intrusions or weaknesses so when you connect to us, we have that safe transfer of data and we both feel secure in that transfer of information.
Another big misconception is that by being PCI compliant and using a PCI compliant partner, I’m protected from fraudsters, intrusions or attacks. PCI is a set of best practice guidelines and is not an insurance policy or a detection system to stop fraudsters. What PCI does is give you best practice of advice on how to protect yourself and help identify areas of weaknesses. PCI gives you the ability to create internal policies that help you through the importance of taking payments and identifying best practice mechanisms to safeguard your whole entire environment.
So finally, we’re getting towards the end of our discussion today and I really appreciate you being here. What are the biggest mistakes a software company can make around PCI that they could easily avoid otherwise?
Yeah, look again, awareness and understanding of obligations are the concerns I always discuss with partners and continue to reiterate in every discussion about PCI. Understanding your infrastructure and how you want to integrate is important. This sets up the scope of PCI that you are obligated to adhere to. If you don’t have a clear mapping of your current infrastructure and how you integrate and pass data to your payments partner, you may find yourself misaligning the incorrect SAQ, your self-assessment questionnaire, which could mean you’ll fail your PCI obligation. Because that SAQ dictates how you need to complete your 12 requirements and your 6 principles. So, for example, if you’re storing cardholder data prior to passing it onto your partner, you would be categorized differently in the PCI scoping than a straight pass to your payment provider. So by understanding that SAQ and completing it correctly is crucial. That’s tip number one.
The other tip I also pass on to, my good old granny, and that is understanding who you are talking to and are you talking to an expert in the industry. There are so many cheaper, free security vendors and payment partners and you need to be confident who you are connecting with and that you are also diligent in their security managers, and that their number one goal is to help protect you and your customers. The PCI Council website’s fantastic, has a lot of great information, but it also has an approved vendor lists for you to look through and choose, and that’ll help you understand who you can go to for PCI. Visa and Mastercard also publish approved payment providers that are bound by PCI compliance.
So for us here at Payrix Australia, Payrix Global, Payrix USA we’ve got to upload all our requirements and at a station to Visa and Mastercard to show them that we have done our yearly audits. And we’re doing everything correctly and we’ve passed all our compliance that we do regularly as well. Never connect to another platform until you feel comfortable and the business is wanting to be a true partner with you through all components of your business integration. If it doesn’t feel right and you are not happy with interaction you’re receiving from any of your providers about PCI security, then trust your intuition and walk away. And that’s a good saying for anything that you do with payments, if you feel something’s a little bit suspicious or you feel a little bit uneasy and you’re taking a transaction or a payment for someone that you don’t understand who they are or what they do then walk away. Talk to the experts. Give me a call because that’s what we love doing here.
Spoken like a true risk and fraud expert. Zac, are there any last pieces of advice you’d like to leave for a software company whether it relate to PCI or just in general risk and fraud?
That’s dangerous, asking me for one last one Bob because I’ve got so many, but look, a border control, poorly built decks, grannies that answer the phone to anyone, Bob not sure who packed his bags at customs… look maybe I could finish off with one last Australian analogy. Don’t feed the dingoes or pet the dingoes as they bite. Don’t give fraudsters easy access to your business as will be that’ll be worse than a dingo’s bite. And look, I know the value of trust and hard work and to come unstuck because you didn’t understand PCI. Or simply pick up the phone to a payments expert can really cripple your business. The Australian regulators are hot at the moment, they’re cracking down and that’s not just Australia, that’s globally on any sized business that fails to uphold certain standards and the reputational fallout from not protecting your customers can severely cripple or finish up your business. Happy for anyone to reach out to me or the team at Payrix to help you with your payments journey and guide you through the best steps to becoming compliant and processing payments that is safely completed, and you know that’s the key tip, safely. Everything should be safe in your environment, in the payments environment, so you’re protecting yourself, your customers, and your customers’ customers.
So Zac, thanks again for being on the show. You know I’ve spent quite a bit of time with you over the past years and I’m now down here in Australia spending some time with you and I know we’re both big believers in sharing knowledge and experience, so we really appreciate you joining us today!
Bob you’re awesome with everything you’ve done for payments and you know being a part of your podcast series is truly an honor and blessing and look. Looking forward to getting to our budgy smugglers down at Bondi Beach and running amuck while you’re here in Australia and just keep talking payments.
Excellent. We want to be a trusted resource for software providers who are out there trying to make sense of Embedded Payments and finance and to help them get the education that they need to make the business decisions their customers and investors will thank them for.