Compliance and Regulatory
The electronic payments industry is highly regulated, and rightly so since it deals in sensitive personal and financial information. At TransFirst®, we take secure credit card processing very seriously and comply with all applicable regulations. You should, too, because compliance is good for your business.
There are three important aspects of compliance and regulation that we would like to address: PCI compliance, W9 validation and EMV.
PCI compliance refers to meeting the requirements established by the Payment Card Industry Security Standards Council (PCI SSC), an alliance of the five major credit card companies — Visa®, MasterCard®, Discover®, American Express® and JCB International®.
The requirements are known as the PCI Data Security Standards (PCI DSS), which lays out for all merchants who process, store or transmit credit, debit or prepaid card information the steps to take to maintain a secure transaction environment.
As a leader in secure electronic payments, TransFirst® supports and promotes PCI compliance. Our PCI program provides services that help merchants become and remain compliant, even as PCI DSS requirements change. The program consists of several important and comprehensive components:
- Our online Self-Assessment Questionnaire (SAQ) is an intuitive and easy-to-use tool with picture-driven qualification steps that helps merchants easily determine their Validation Type. It is supplemented with expert help text and real-life examples.
- External scanning detects network vulnerability for merchants with external-facing IP addresses and finds holes in web-based applications. TransFirst then issues easy-to-understand reports detailing the results and prioritizing vulnerabilities while offering hands-on assistance for remediation.
- A set of custom security policies, powered by the Unified Compliance Framework (UCF), and policy templates that are automatically generated based on how merchants process payment cards provide an individualized approach to compliance.
- On-demand security awareness training prepares merchants to handle sensitive information, satisfies PCI DSS requirements and eliminates the need to purchase a costly training program from a third-party provider.
It’s important to understand that while PCI compliance protects both merchants and cardholders, there is no law requiring it. However, PCI compliance is a contractual obligation between merchants and the five major card brands that comprise the PCI SSC, and noncompliant merchants who experience a data breach are subject to fines, expensive audits, other associated costs and, perhaps most significantly, a direct and potentially fatal hit to their business reputation.
PCI compliance is not an expensive proposition, nor does it require a great deal of effort on the part of the merchant. It is, however, an excellent investment in security and peace of mind. TransFirst stands ready to instruct and support our merchants in that investment.
Under Section 6050W of the Housing and Economic Recovery Act of 2008, all payment settlement entities — including merchant services providers and financial institutions — must report their merchant customers’ annual gross payment card transactions to the IRS on Form 1099-K.
Pertinent transactions include those processed by credit, debit or co-branded cards and third-party network transactions, such as flexible spending accounts. The information will be used by the IRS to verify financial data it receives from other sources. A copy of the form must also be given to the merchants.
To comply with this new regulation, TransFirst asks its merchant customers to provide a Form W-9 that includes their legal business name, address and taxpayer identification number (typically the EIN). All this information must match the merchants’ filed tax forms in order to be valid.
Merchants who do not comply with W-9 validation could be subject to backup withholding equal to 28% of their gross payment card transactions, so TransFirst recommends that merchants take a proactive approach to compliance. If you have questions regarding W-9 validation and its impact on your business, ask your tax professional for guidance.
Credit card processing in the United States is catching up with the rest of the world with the adoption of EMV technology, which is widely accepted as being more secure than the magnetic stripe technology that has been the basis of payment processing in the United States for the last four decades.
The goal of the EMV standard is to create interoperability between EMV-compliant credit cards and EMV-compliant credit card payment terminals throughout the world. In mid-2012, more than 1.5 billion EMV payment cards were in use worldwide, and 76 percent of all credit card terminals globally were based on EMV. The U.S. is one of the last nations to adopt EMV technology.
EMV (the acronym stands for Europay/MasterCard/Visa) cards are also called chip-and-PIN and smartcards. They are equipped with an embedded microprocessor chip that stores the data and instructions needed to process a purchase — information that was previously stored on mag stripe on the back of the card.
There are two types of EMV cards. Contact cards are inserted into a terminal, and contactless cards are waved or tapped in front of the cardreader and communicate with it through radio frequency (RFID) or near field communication (NFC).
Smartcards are considered to be significantly more secure than mag stripe cards because the chip’s contents are protected by two different encryption technologies. Data on mag stripe cards remains static, which means if the card is stolen or the data hacked, a new counterfeit card can be created and the cardholder’s identity can be used to open other accounts. The encryption technologies used in EMV cards makes such fraud far less likely. In fact, it has been reported that credit card fraud has dropped by as much as 80 percent in countries where encrypted EMV cards are used.
EMV transactions are also usually quicker than mag stripe card transactions because the terminal and card communicate directly with each other to verify the authenticity of the transaction.
The implementation of EMV technology in the U.S. is underway, encouraged by Visa and MasterCard. Both associations have migration plans in place and have set compliance deadlines for merchant services providers and their clients that began in April 2013 and end with a liability shift in October 2015 (October 2017 for gas stations).
The liability shift means that whichever party causes a contact chip transaction not to occur will be financially liable for any resulting card-present counterfeit fraud losses. In simple terms, if a merchant does not have equipment that can support chip technology by the dates listed above, and this lack of equipment causes the fraud, the merchant will be held financially liable.
The adoption of EMV technology requires merchants to upgrade their hardware and software to accommodate the new chip-and-PIN cards. Merchants will continue to be responsible for achieving and maintaining PCI compliance through annual SAQ completion and quarterly external vulnerability scanning.
TransFirst offers the most up-to-date EMV equipment available on the market. Merchants may upgrade their equipment now to prepare for EMV acceptance, positioning them to achieve full compliance and be ready for the future liability shift deadline.