Ian Hillis
Hi everyone, and welcome to PayFAQ: The Embedded Payments Podcast brought to you by Payrix and Worldpay. I’m your host, Ian Hillis, and today I’m talking with Candice Raybourn, Head of Partner Activation at Payrix and Worldpay for Platforms. And we’re going to chat about PCI and why every platform needs to prioritize compliance. Compliance, compliance, compliance, everyone’s favorite topic. And on a personal note, I love any chance I get to connect with Candice and chat. So, we’re in for a real treat today. Candice, Welcome to the show.
Candice Raybourn
Thank you. Thank you for having me. I’m looking forward to it. My first time. Exciting.
Ian Hillis
Let’s go. Audience, I want to make sure I give Candice the appropriate introduction here so you can understand where she’s coming from, from these insights she’s going to share. So, Candice Raybourn is a strategic thinker with a knack for converting strategy into practical outcomes for the business and partners, before moving into her current role as Head of Partner Activation for Worldpay for Platforms in 2022 Candice was the director of integration revenue at FIS, and she specialized in financial services with a core focus on corporate investment in transactional banking for 15 plus years. When Candice is not thinking about the next strategic initiative. She loves to travel and is a true global citizen. She’s lived in six different countries across three continents and speaks four different languages. Whenever I’m chatting with her, I don’t know if it’s morning, day, night. Catch Candice at any moment across all these pieces, but excited for this conversation. Candice, today, we’re talking about PCI compliance. Let’s start with a baseline. What is PCI DSS?
Candice Raybourn
Yeah, I think that’s a great place to start, Ian, and just for your info, since you never know, I happen to be at home in London today, so it’s a good a rare day that I’m at home. But anyway, starting at PCI DSS, for all the listeners that may not be up to speed. First of all, it’s an acronym, right? And so, the acronym itself stands for payment card industry data security standards. And really what that is, it’s the technical and operational standards that all the various players within the payments value chain need to meet. So, we think about that. It’s the card issuer, so often, the banks, it’s your card brands, it’s the processors, the acquirers, it’s the merchants and where applicable and very valid for this conversation it’s any service providers that happen to plug themselves into that value chain, especially software companies, providing solutions to end merchants when they’re adding on and providing payment capability on top of whatever their core business may be as well. At the end of the day, why do we do this? It’s to protect the cardholders and all of us in that value chain that I just mentioned from data breaches and honestly, ultimately avoiding fraud, and that’s fraud, both from a payments perspective, as well as, unfortunately, identity fraud, etc. As I said, as well, these stands are both technical and operational, so it’s not just about the payments flow, but it’s really about how we all think about protecting the operations of our business. Fraudsters are very smart people, and they will try to find a way in however they can, and in an Ecomm world, specifically, that means protecting all the doors, all the entry points on our platform, so that those bad actors aren’t able to enter into the ecosystem. I want to kind of stop there, because I can go through a very deep rabbit hole on all the technicalities, but we actually have a deep dive into PCI available to everyone. And you’ll want to check out episode 26 all about PCI with Zach Lutton. Zach is our Head of Risk and Compliance for Payrix Australia, and he does a great intro into all of it. And there’s a link to that episode in the show notes available to everyone.
Ian Hillis
That’s a great foundation Candice, and I’m reflecting back to my first foray into payments 15 years ago, and everyone kept saying, PCI, PCI, PCI. I spent time researching across all of that. I’m imagining for listeners that aren’t keeping track of the updates here, things probably have changed since 15 years ago, and have probably changed since a year ago. What are some of those key changes? We’re coming at a pretty big inflection point with 4.0 coming out. Put your software hat on. What does a software partner need to know at this particular time?
Candice Raybourn
Yeah, absolutely. And to your point, it is a big inflection point. So historically, PCI compliance has been more focused on card present transactions. So, this was really protecting against card skimming. That’s when you go to the restaurant, you go to the gas station, and someone scans that magnetic strip, and next thing you know, they’ve either created a counterfeit card, or they have your data, they use it electronically; ATMs that do skimming. This was really the focus of PCI, but with the prevalence of eCommerce, the fraudsters are shifting gears, and ecommerce is now the predominant payment channel being attacked. So given that PCI DSS 4.0, has been developed, it actually went live on April 1 of this year. There’s a year to get everyone up to speed through March 25 really that shift. So complete inflection point. We’re in the middle of it, and that’s been developed to expand the scope, addressing, again, those technical and operational requirements that come into play for eCommerce. There’s 64 new requirements in total. I’m not going to go through them all. There’s definitely a ton of materials out there to help guide and we’ll talk a bit later around how payment processors can help assist in that, but there is a pretty big scope shift. It covers things like phishing protection, how you assess and you analyze targeted risk areas. Do you have the authentication requirements needed to protect so think multi factor authentication across all of the various access points into your software, especially into areas where any cardholder data would be entered or saved, protecting against eCommerce skimming attacks, vulnerability scanning. So, think about your IP addresses. Are those protected? What’s happening? So practically, if I’m a software company, this means that things such as data retention, my protection policies, the security vulnerability policies I have, my website itself, any hosted payments pages that I might provide to my merchants, my password security, malware protection, audit log reviews, all of those come into scope, and it’s really all there to make sure that we can protect against those fraudsters I’ve mentioned. And as I’ve said before, these span across not only the payments flow, but really the wider technical and operational setups we all have within the payments value chain, again, including the software providers you’ve mentioned.
Ian Hillis
So, on the topic of the software providers, I’m putting my software, CEO, CPO, CTO hat on. Candice. I am busy. I’ve got competing priorities, and to be totally honest with you, PCI probably isn’t on the top of my list that I’m thinking about on a day-to-day basis. What do you have to say to that? Why should I care about PCI, given everything else I’ve got going on in my world?
Candice Raybourn
And I get asked that question a lot, right? I’m here to be a software provider. You’re the payments people. What do we do? I think the reality is, the best analogy I can give is we need to start thinking about the payments flow as a relay race, and that relay race, and all of the data of a payment goes through the entire ecosystem. So from the time a consumer uses their card, whether in person, as I mentioned before, now in the eComm flows that process of the consumer to the merchant to the software company that’s sitting there, as often a vertical software specialist that’s helping those merchants run their business, they’re right there in the middle of that value chain that then passes to us as the acquirer and then fully through to make sure that the transaction goes through. But software companies that are providing that payment capability are now right in the center of that relay race, and whether they built it in via direct APIs or leveraging scope reducing capabilities such as hosted payments pages, which a number of payments providers have, you’re a real role player in that relay race, and your merchants are depending on you to make sure that you play your part in that because they need protected. And importantly, their consumers need protected. Just to put a bit of size and scale around it. In most cases, software companies are serving SMB merchants. And 46% of all cyber breaches that impact businesses are businesses with fewer than 1,000 employees. 95% of those incidents, when it comes to the same SMB merchants, are costing a single merchant up to $650,000 per incident. So it’s critical that, as a software company, you not only partner with your payment processors and others within the value chain that take PCI as a core part of who they are, but you also consider the operational items within PCI, such as password security, that you really need to make sure you take care of, because that’s, again, I go back to those doors and ways to get in. Just to talk about password security is something that you should be thinking about from how you look at your product design, your core capabilities is 81% of company data breaches are caused by poor passwords. According to cybersecurity industry experts, a seven-character password that uses the widest range of characters to think about your uppercase, your lowercase, your number, your sign. Those can be cracked in four seconds, but if you up that to an 18-character password, you now have 480,000 years, right? So, thinking about little things can fundamentally shift how easy or hard it is for your system to be vulnerable, and that’s for PCI 4.0, and the things you need to think about as a software company, again, it’s not just about that payment bit. It’s about protecting the ecosystem and looking at it from all of the different perspectives around how do we put a blanket around this whole thing to make sure that everyone’s protected?
Ian Hillis
High Stakes, you’ve convinced me. So, this is bringing my security and reputation into play for me and my customers. Now, tell me, Candice, what can I as a software company do to protect myself and my customer base? And we’re here talking a little bit with a slant on payments. What should a payment processor be providing in this area as well?
Candice Raybourn
Absolutely, we’ll talk about the payment processor very quickly, because there’s a great partnership. There’s a software company you can have with your payment processor to really not be overwhelmed by everything that PCI has. And that should be something you look to with your payment processor. But first of all, we need to be looking at PCI DSS as us protecting the payments ecosystem. And Ian, you just said it right. It’s about my reputation. It’s about my consumers, etc., and I need to make sure that my merchants, their consumers, feel comfortable continuing to use all of our services, versus thinking about it as a compliance checkbox. So that mentality, in and of itself, brings a value add and positions your business in a different way, because it truly says to your consumers and your merchants, I understand the risks you face in today’s economy, today’s market. I’m here to make sure you’re protected. And your point, you do that with the payment processor, right? So, if you’re out looking for a payment processor, and you’re thinking, there’s the payment side of it, which is one equation. But I also make sure that you’re talking to them around security risk in general, and from a PCI perspective in particular, you’re going to be looking and saying, I want to make sure they’re a thought leader. This is a growing landscape, and I’ve just gone through 3.0 to 4.0 there’s no way it will stop there. Right as the fraudsters continue to evolve, the requirements will need to evolve to meet them, and the right payments provider should be someone that’s helping you navigate that so that you’re not having to become an expert on absolutely everything within PCI, they can really guide you. And that guidance, that training, that thought leadership, you should then be able to leverage with your merchant so that you’re providing that same trusted source and trusted advisor to your clients, and that payment processor can really help you make sure that you take care of both of those steps. On top of that, I talked about some of the financial implications of these risks, payment processor often add breach assurance. So, looking to see, is there breach assurance options available, and what are most commonly, PCI products that are available from a reporting perspective, and again, lots of acronyms and things, but the various attestations that are needed, those are available. But on top of that, how do we make sure that we provide some assurance, breach assurance to those merchants, so that they feel comfortable that should the worst happen, they do have a bit of protection. Technically as well, I would work with your payment provider to understand the various integration options they have available, because each of those different integration options will have different PCI requirements, and they can talk you through that so that you understand the requirements that come with them. I’ve already spoken about the fact that there’s differences between card present or card not present. It also depends on the way that you integrate and how much you take that in house. And they’ll be able to answer all those questions for you. They can do that practically through what’s called a responsibility matrix, which outlines what they will take care of, what you will need to do, what the merchant needs to do, and if they’ve done it right, they should be able to streamline any reporting you need to do and your merchants need to do because again, they can look at that whole relay race and talk about how the value chain covers PCI holistically, and then operationally, they should be able to assist you in the reporting requirements that come out of this, because at the end of the day, as a software company, you’re there to run your core business. We don’t want you to have to build a ton of additional operational capabilities in house to manage this. Your payments provider should really be a business partner, and again, a trusted advisor, navigating this world of PCI along with you.
Ian Hillis
This is a very complex but critically important topic, thank you for breaking that down and making it consumable, digestible. My hunch is you probably need to listen to this a couple of times. It is one of the single most important things facing our software partners right now as we’re going through this inflection point. So, thank you for sharing those insights and. As always, I love my chats with Candice. I hope you all got a lot out of this one as well. And thank you for joining us, Candice.
Candice Raybourn
Thank you. It’s great. Glad to be here.
Ian Hillis
We want to be a trusted resource for software providers who are out there trying to make sense of embedded payments and finance to help them get the education they need to make the business decisions their customers and investors will thank them for. Thank you to everyone joining us today, and I look forward to continuing the conversation in our next episode.
