Payments data: Your company’s most valuable asset | Episode 17

Updated on March 20, 2022

In an industry where the rate of growth is unfortunately proportional to the threat of a security breach and fraud, there’s one thing that should be top of mind for every software company: secure payments.

Bob Butler is joined by Zac Lutton, Head of Risk for Payrix in Australia, on PayFAQ: The Embedded Payments Podcast to share his thoughts on the subject. Based on his 20 years of banking and payments experience in the Australian market, Zac discusses the role of payment risk management and how software companies in the U.S. can handle payment data to ensure it meets the highest levels of safety and compliance.

Software companies are leaning on experts to successfully secure payments

Zac is no stranger to the world of financial crime and how its threats have impacted payment acceptance for businesses over the years. “I’ve seen numerous technological advancements to enable the transaction to be processed. The speed to process is phenomenal […], which is brilliant for cash flow, but can also mean faster fraud,” said Zac. “At the end of the day, the main goal is for merchants to be able to take a wide range of payments in the most safe and compliant manner possible.”

Embedded Payments — the integration of payment processing into an existing system — has become an emerging growth strategy among software companies. However, as these SaaS providers become more involved within the payments universe, Zac says modern payment acceptance can feel too far out of reach to understand, which is why he recommends partnering with payments experts to navigate the landscape. Working with a secure Embedded Payments partner can help software companies mitigate risk and stay protected from fraud, as well as monetize payments and create a frictionless experience for their customers.

The key to secure payments is safeguarding payments data

For Zac, protecting payments data through effective payment risk management is the most important part of creating a secure payments ecosystem and experience. Payments data, he notes, is every piece of information collected along the payment acceptance journey and is considered personal identifiable information (PII). It can include contact information, date of birth, credit card numbers, etc. — and it all needs to be stored, vaulted, and encrypted correctly. Of course, the data collected varies depending on how a business decides to accept payments, whether it be through a hosted payment page, a virtual terminal, card-present (in-person) terminals, or other methods.

Zac says the most important thing to be thinking about is, “How do I protect each dollar that comes into my business?” For software companies, he offers the example of using a hosted payment page. The secure online payment option is a webpage or iFrame that’s embedded into a software’s interface but hosted in the partner’s environment, where the payments are securely processed.

Software companies need to fully understand the value of their payments data

Zac considers payments data “priceless and hence, the most important aspect of your business.” However, a “lack of awareness about payments data means too many businesses are leaving their front doors just swinging wide open […] and inviting fraudsters in through too many entrance points.”

He advises that every software company should know their business intimately and fully understand their infrastructure, including every step of the payment flow and all vulnerabilities. When it comes to making decisions about data collection, Zac says, “if you don’t need it, don’t collect it.” The more data you collect, the more obligated you are to comply with payment security regulations.

Secure payments compliance regulations are complex

Regulatory requirements for accepting payments can be daunting — especially for new entrants — but they can’t be ignored. Zac highlights major regulatory bodies and legislations that businesses must comply with when processing payments.

  • PCI DSS (Payment Card Industry Data Security Standards) compliance is applicable to any business that accepts credit cards. In Zac’s observation, many businesses fail to understand the need to complete PCI self-assessment questionnaires (SAQs). The results of the questionnaires can help software companies understand their PCI scope and the compliance requirements they must adhere to.
  • Another important consideration Zac highlights is the privacy policy software companies share with their customers. His advice is to ensure that your published policy reflects the way your data is collected, secured, and used. He recommends steering clear of using third parties to construct your company’s policy or copying and pasting policies published elsewhere.

Given the legal and regulatory complexities of processing payments, Zac suggests that software companies partner with a secure payment processor equipped to handle the intricacies. This is especially helpful advice for software companies with global aspirations, as regulations vary from country to country.

Secure payments insights for software companies

“Unless you have trained risk and fraud specialists on hand, you could be exposing yourself to an unknown amount of payment risk,” said Zac. For software companies considering embedding payments into their software, he recommends partnering with a secure payment processor for guidance on managing the complexities of handling payments data. With the help of a trusted payments partner, like Payrix, software companies can:

  • Feel secure with payments technology that protects your organization from vulnerabilities and mitigates risk
  • Better understand the ever-evolving payments regulatory landscape and stay compliant with PCI requirements
  • Offer merchant customers access to PCI compliance programs, like SaferPayments by Worldpay
  • Prevent fraud with tools that help detect and prevent fraud attempts
  • Establish payment data collection and protection policies
  • Keep sensitive payment data out of the hands of cybercriminals and secure payments with tokenization through omnitoken

For more expert advice on how to implement and maintain secure payments, listen to this and other episodes of PayFAQ: The Embedded Payments Podcast.

  • Transcript

    Welcome to The PayFAQ: Embedded Payments podcast brought to you by Payrix. As payments and software experts that eat, sleep, and breathe Embedded Payments, were as passionate about you as you are about your customers. Each podcast episode will provide insights about Embedded Payments designed to help you feel the transformation and growth of your software business. You’ll learn from industry experts, Payrix customers, and leaders on the Payrix team about the latest trends, best practices, and real-world guidance from payments experts to help you take your software platform higher.


    Bob Butler

    Hi, everyone. Welcome to The PayFAQ: Embedded Payments podcast, brought to you by Payrix. I’m your host, Bob Butler. And today I’m going to be talking with Zac Lutton, the Head of Risk for Payrix in Australia, about protecting your payments data, and what the key things are to be mindful of if you are wanting to process payments in the Australian market. So hi, Zac, welcome to the show.

    Zac Lutton

    Hi, Bob. And good morning from Australia, very excited to be discussing my favorite party topic today with you.

    Bob Butler

    We’re excited to have you. So, Zac, can you tell us a little bit about yourself and your background in both payments and software.

    Zac Lutton

    Thank you, Bob. And again, a great pleasure to be joining you today. It’s always a little scary to let the risk guys out of the box to talk about security risks around payment. But hopefully today I can get people energized and excited about taking payments and being able to feel positive in knowing how to do this in the most safe and compliant manner. I’ve been working in the banking and payments industry now for 20 years and specialize in financial crime, which it does cover a range of aspects and essentially what I’m trying to do is protect and allow payment to go from A to B in the most risk-free environment possible. So here in Australia, myself, I’ve worked with the big four banks, being a part of a global high-risk processor that managed gaming, farmer, adult, and e-wallets, third party outsource providers of AML and fraud. And currently I’m with Payrix Australia where I specialize in managing merchant risk. Over that time, I’ve seen and witnessed every type of illegal activity. And unfortunately, every day there is a new threat to take the task. If only the fraudsters would use their intelligence for a positive outcome. I think we’d see a different world.

    Bob Butler

    Well with all your experience Zac, how have you seen the industry evolve?

    Zac Lutton

    Over the last 20 years in the payments industry, you know, I’ve seen numerous technological advancements to enable the transaction to be processed. And the speed to process is phenomenal and settle has made huge advancements, which is brilliant for cash flow, but can also mean faster fraud. And if we look at cryptocurrency with blockchains, and open banking, we’re bringing faster fraud to the table. So essentially, within my role, the core components are still the same in managing and mitigating fraud, understanding the key principles of AML and KYC. Fighting chargebacks and most importantly, ensuring compliance is upheld to avoid all those possible breach scenarios from the regulators auditing us along the way. At the end of the day, the main goal is for merchants to be able to take a wide range of payments in the most safe and compliant manner possible. Nowadays, software companies are getting more involved with payments. And I personally love being able to educate software partners on how they can protect their merchants in the payments world. We work closely with software providers all the day and every day on navigating through all the regulations on how to protect themselves and their clients from constant threats from fraudsters wanting their information, products, or services at that low bottom price of free of charge. Meaning you’ve probably been done by a fraudster. I think the main change in the payments industry is that we are in a new digital age that is becoming too far out of reach for many to understand. And if you don’t partner with critical payments experts that can help you navigate payments, you’re not become successful in monetizing payments in a frictionless and easy environment for everyone to use. But myself, personally, I reach out to the experts every day, and partner with the best companies to be sure we manage and mitigate our risk in the best possible way as well.

    Bob Butler

    I appreciate that background. So, as you look at this, from sort of that, you know, 30,000 feet level, what would you say is the number one thing to consider when it comes to payment security?

    Zac Lutton

    This that’s number one thing to consider is always a difficult one to answer. But I like looking at it as protecting your payments data is the most important part of creating that secure payments ecosystem and experience. I look at data being everything possible that you can collect on the journey to accepting a payment. And this might be multiple journeys depending on where you position yourself in the pipeline of accepting and authorizing a payment or payment channel. As a payment processor, we have every functionality to receive payments via real time, hosted payment pages, virtual terminals, recurring bank and card transactions, and BPAY. I encourage our merchants to use a hosted payment page, as it has the highest-level security protocols protecting that information that is being sent to us. If you use a hosted page, you are using our hosted environment. And we have invested a lot in the best security protocols and people to manage this. And we can assist in minimizing your overall exposure, which is exactly the key to success in protecting your sales. And that’s the most important thing to be thinking about is how do I protect each dollar that comes into my business from the hard work I’ve done with each one of those sales. In terms of what we actually received from payers, or software partners is that payment data that is essential for multiple reasons, is the basic consumer demographic details being the payer’s name, email, phone, address, date of birth that we’re used to sending across when we making a payment, we request the value of that purchase, the business details of the billing organization may be present on the invoice through the software partner. And lastly, the most audited, regulated, and critical component is the actual payment data itself being sent to us in the form of a bank or ACH in America being the BSB and account number details and credit card details that you don’t want anyone else that is not trusted to have access to. And this information must be stored, vaulted, and encrypted correctly. So, all this information makes up what we call identifiable data and must be protected under a variety of security and privacy policies that you must adhere to when you’re operating here in Australia and New Zealand.

    Bob Butler

    Well, what guidance can you give SaaS businesses around understanding the value and importance of that data?

    Zac Lutton

    The best way I think about this is to consider the inherent value of what you’re dealing with. Data today, I look at it as priceless and hence the most important aspect of your business. We all have the same basic need and that is to feel safe and protected. And unfortunately, it can ruin a person’s life if the wrong people get access to your personal information. Once upon a time that information used to be you know, for myself a school crush in your diary hidden from your parents. But now we’re seeing every type of intrusion from DDoS smurfing attacks to spear phishing attacks against companies, banks, and governments to utilize this critical information in the attempt to build profiles that can destroy a person’s life, bring down an organization’s capability to trade, and worst-case scenario, make countries compromised on their national security. We’re seeing this disruption in the news every day across the world in the attempt to gain or disrupt through ransom attacks, political heist, manipulating future markets, or simply, greed of monetary gain. Unfortunately, a lack of awareness about payments data means too many businesses are leaving their front doors just swinging wide open back and forth and inviting fraudsters in say to “hello” through too many entrance points, unknown entrance points to the organization which leaves capacity for unknown bots to layer sleepers or active receivers, weak or no security, or maybe worse free online security systems, and therefore leaving their customers vulnerable to the corruption that could take place. My key piece of advice is no longer nice to have, but a necessity that everyone adheres to basic principles about how they’re collecting that data, how they go about securing that data, and knowing what they can do with their data. As a merchant or software provider, you need to know your business intimately first. Your infrastructure and importantly vulnerabilities to protect yourself. No one these days goes to bed without locking the front door. And I know with my wife, she makes me check it three times, four times the backdoors, the windows to ensure that we’re safe and secure at night. And we need to take that same mentality with this in our working environment to ensure we’re protecting the most important aspects, which is, as I’ve said at the start personal identifiable data that we collect to do business with our consumers. For example, at my company’s sales, integrations, marketing product, client success, and risk, you know, we all come together and look at the complete payment flow when we integrate with a partner software via our secure APIs. And we want to make sure that everyone fully understands every step of that payment flow. So, we can advise the best way to integrate onto our systems, but also so we can advise on the touch points that you either need to protect, or in some cases you don’t want to collect. You don’t want to touch it as it may make you vulnerable. My best advice that has never changed and I say this to all our own internal teams as well as anyone open to my thoughts is if you don’t need it, just don’t collect it. It is simple as that. By collecting unnecessary data or information just means you have more obligations and regulations to abide by.

    Bob Butler

    I think those are very wise words. Let’s turn it right back to Australia, New Zealand. What are the main regulatory bodies and legislations that businesses need to consider if they want to take payment in the Australian and New Zealand markets?

    Zac Lutton

    Regulations is not a nice to have, it’s mandatory component here in Australia, New Zealand. And generally, when that hill becomes an enormous mountain for new entrants in the payments industry, this is when we see so many software partners come to us for help, as we understand the number of regulatory requirements for payments in Australia New Zealand. Again, some great advice for anyone is to partner with a trusted organization that can make your payment experience as frictionless as possible but are willing to help you through what can be quite complicated legal and compliance requirements. If you go to a payments provider that tells you that you have no requirements and just send all your data to us, that’s probably another scenario where you possibly take pause and have a look at some of those concerns that you may have go into that type of partner. So, let’s kick off with a small topic and what we call in the industry, PCI, which stands for payment card industry compliance. And easiest way, I always inform everyone, what this really is, is simply put as credit card security. And that means protecting everything you see on your credit card. What every business seems to fail to do is understand that anyone that takes a card payment needs to do a PCI self-assessment questionnaire to understand if they actually have any scope in securing their card data. Simply put, again, is if you touch card data, or make access available to your consumers, or merchants to allow someone else to take card data, you’ll be in scope for some level of PCI requirements. And PCI is all about understanding your infrastructure and ensuring the front door is shut. And no one has the ability to attack you or steal from you. Fail to protect your data may result in a breach, which you don’t want. And you may lose the ability to process payments, which can at the end of day just be business ending, especially for an online company. And you don’t want that to happen as you start off in your new business adventure. So please reach out to your current processor, bank, or look, just give me a call. And I’d be happy to guide you in some of the considerations you need to be thinking about. So, I’ve been doing this for 15 years obtaining level 1 PCI, the highest in the industry, I have a very good understanding of the never-ending needs of the assessors to reach this level of compliance. What I always find interesting and some of the listeners may as well today when you’re doing your own PCI is we are essentially inviting hackers to get into our system or try to and see if they can find any non-secure data. This is what they call penetration testing. Recently actually went out to a software company about PCI and their response was purely why bother when no one else in the industry seems to be doing it? And my quick question back to them was to how much do you want to lose? And I think they’re still pondering that question. And I’ve asked them to get back to me soon about that. PCI look is all to do with how you store your customers data. Next one is very important to consider is your privacy policy around your data. A privacy policy on your website is a mandatory link for your consumers, it seems the more I look on at privacy policies, and what companies are doing is they’re taking a very lazy way approach and just do a copy and paste of someone else’s policy without really understanding what it means and the intended purpose. You know, I do a quick plagiarize check on some policies. And I do catch a lot of businesses out that way. Best advice in regards to privacy is to ensure you have a policy on what you actually do with the data you collect, and more importantly, why you collect it. And that aligns to your published policy. So too many companies rely on third parties to write their policies. And I think that is enough, but they forget, they must action the points in their published policy and secure the data they collect. So that’s a bit of a mouthful. But the cost of breach against your privacy policy is, you know, in today is a business destroyer reputationally. And the cost to get back market confidence is an expensive task. And I’ve seen so many large companies fall to a breach. And the cost runs into the means to get back consumer confidence. And the cost to get your company back up and running in a compliant manner can also run into the means. Thirdly, you need to consider government regulatory compliance. And this is where everyone gets a little bit worried and a little bit scared because there’s three subsections in Australia being the Australian Tax Office, Australian Securities and Investments Commission, and AUSTRAC, being the government of anti-money laundering and counterterrorism. These are the three organization that there is no avoidance of regulation and it’s a man requirement to uphold to these three organizations require industry and legal experts to understand your business requirements. And when you’re in the payments industry, these are not nice to have understandings but years of trained experts in registry interpretation and adherence to legislation is essentially to keep your business secure and the nation’s financial economy protected. So, after 20 years of working with these three regulatory bodies, the best advice is partner again with an organization that can help you through these requirements, as the process can take years to satisfy their needs to be compliant. A very good business case recently that strongly highlights why you need to be compliant with regulators legislation and why you should partner with the experts is 2 of Australia’s major banks being fined $1.2 billion and $500 million by AUSTRAC, for failure to identify and report correctly, and certainly no one wants that type of attention or fines inhibiting their business. And that’s how I ensure that I keep those regulators away from our merchants and software providers by understanding that legislation back to front.

    Bob Butler

    Well, tell me a little bit about AUSTRAC. Because we don’t have that over here. What does it involve?

    Zac Lutton

    AUSTRAC is our legislative and requirement body that guides organizations on how to manage Know Your Customer (KYC) requirements being identification of owners and directors, and also reporting requirements of suspicious transaction monitoring to assist in the identification of money laundering and counterterrorism activity. AUSTRAC is all about interpretation of the law. And as such, there’s a lot of ambiguity in its legislation. And generally, it’s a good advice to work with a payment expert and have access to legal advice if needed.

    Bob Butler

    Oh, this has been awesome, Zac. And all this has been really great to know, any final thoughts for our partners out here, we’d love to hear any other bits of wisdom, you might have to share.

    Zac Lutton

    Lots of wisdom, Bob. Lots of wisdom. But look, payments data is inherently complex. And sometimes the safest option is to partner with an existing payment facilitator and outsource some of your fraud and compliance management. Unless you’ve trained risk and fraud specialists on hand, you could be exposing yourself to an unknown amount of payment risk. Look some takeaways. And look, thank you very much for allowing me to chat to you to today, Bob. But I’d love for the listeners to take a little bit of away with them today about risk and fraud, and how to mitigate all those possible scenarios. And some of the things you know, for our listeners to think about. And as they’re walking along or in their daily lives thinking about their business structures. If you’re thinking about payments, talk to the experts first. As they can guide you making it frictionless and also can help you monetize your business which is fantastic. Understand your payment flow from start to go and how you want your business to interact and transact with your customers. Know your own infrastructure and how it is protected. Have policies that you follow about the data you collect, why you collect it, and how most importantly, how you protect it.

    Bob Butler

    Zac, it has been fantastic having you on the show really appreciate you taking time.

    Zac Lutton

    Thank you very much, Bob.

    Bob Butler

    At Payrix, we want to be a trusted resource for software providers who are out there trying to make sense of Embedded Payments, risk, and PayFac and to help get the education they need to make the business decisions their customers and investors will thank them for.

    Thank you for joining us today on The PayFAQ: Embedded Payments podcast brought to you by Payrix. For more information about Embedded Payments, subscribe to our show at

Payment experiences designed for your software

Unleash powerful Embedded Payments technology that delivers on a better experience.