Bob Butler
Hi everyone and welcome to the PayFAQ Embedded Payments podcast brought to you by Payrix. I’m your host Bob Butler, and today I’m going to be talking with Billi Jo Wright, the Head of Risk and Compliance here at Payrix, and we’re going to be talking all about what software companies should understand regarding risk and compliance. And specifically when it comes to the PayFac-as-a-service model. So, hi Billi Jo, welcome back to the show.
Billi Jo
Hi Bob, thanks for having me back.
Bob Butler
It’s great to have you back. Hey, the last time we had you on the podcast you covered an incredible amount of information. You know all around risk and compliance and how it varied based on the different types of monetization models a software company picked. For those listening you could find that information on episodes 3 and 4, but today I really want to dive in further specifically as it relates to PayFac-as-a-service – payment facilitation as a service. So if a software company isn’t looking to become a full PayFac® and they want this PayFac-as-a-service, what should they be looking for in a partner?
Billi Jo
I think there’s a number of things that they should be considering in this process, but I’ll break it down into 3 specific areas. The first one would be what is the overall desired customer experience. How critical is Embedded Payments into their business. I think the last consideration would be around the maturity of a software company. And all 3 of these things are separate. But I think they’re very much intertwined with one another. And so, if you think about the desired customer experience, so much of the value of PayFac-as-a-service and Embedded Payments is really tied very closely to the customer experience and how software providers can embed that into their overall offering, so choosing a company that gives you the flexibility to create the user experience you desire is pretty imperative for software companies.
The other piece is around how important is Embedded Payments to your business and how much of that is a growth driver for a software company and I know from our experience it’s pretty critical. So I feel like it’s important that you partner with a company that really takes time to understand what their software does, who their customers are, and they’re not just looking at it as one specific customer that sits within their portfolio, but they really understand the software company in general.
And then the last piece I would say is the maturity of a company and I mention that because it’s a very important part of the overall offering. And if you’re a software company looking to embed payments, there are customer servicing elements that you should consider and your company’s ability to support those expectations whether it be understanding interchange, or risk and compliance, those are things that you should be thinking about and considering when you’re looking at the PayFac-as-a-service.
Bob Butler
I know there’s several different models out there that different providers are offering as it relates to PayFac-as-a-service. But how would you recommend that software companies evaluate the risk and security programs that are available in these various models.
Billi Jo
There’s definitely a bunch of different variations as it relates to approach to PayFac-as-a-service and so I think some important considerations would be, does the provider require that you own liability for merchant loss. Some providers do and some don’t and honestly there’s advantages to doing both, but it’s certainly something that as a software company should be thinking about. Is there an expectation that you need to pre-vet or underwrite your customers before enabling payments? Bringing a customer live for a software versus payments looks very different and so you need to understand what the expectations are around that and then I would say the other piece are their tools. Do they provide tools to help protect your customers and I’ll just give an example. Are their tools available for say data breaches and being able to help customers understand and drive compliance as it relates to those pieces.
Bob Butler
I’m a software company, what liability do I have within this PayFac-as-a-service model? You mentioned just a second ago about some make you hold risk some don’t make you hold risk. I need to understand a little bit more about what that liability would be as a software company.
Billi Jo
Yeah, so outside of just merchant liability right? If there was a situation where a merchant had a fraud event and they lost money and the merchant wasn’t able to cover that, in some cases a software company could be responsible for that. Another primary example of that would be platform security. Ensuring that your environment has the proper controls in place and can protect themselves from unwanted entry into their platform or into the payments ecosystem. Everyone in the payments ecosystem whether it’s merchants, processors, acquirers, software companies, everybody has the responsibility when it comes to PCI DSS and that stands for the Payments Compliance Industry Data Security Standards. Which essentially just means that you need to protect your customer’s personal and payment information. So even though there’s providers out there like Payrix are offering, helps protect cardholder data, it encrypts cardholder data and has a certain level of kind of that protection, it reduces the scope as you think about PCI compliance, but it’s still really important that everybody understands their responsibility in data security and understands the potential vulnerabilities and also what controls and policies they may need to drive that level of compliance.
Bob Butler
Well, how do you just recommend that a software company communicates the importance of security to their customers, their merchants. What’s your recommendation on how that gets communicated?
Billi Jo
The first part’s around awareness and there are a number of resources that you can access related to PCI and data security. I think a good place to start would be the PCIsecuritystandards.org, it’s a great website. It has a ton of resources as it relates to best practices and what you need to know, but I also think finding solutions that help drive compliance specifically at the merchant level is really critical. Especially when you think about small and medium sized merchants. PCI compliance can be really confusing and so a lot of small businesses don’t really know where to start. And it’s a real problem because these types of businesses are essentially targeted by cyber attackers and so they don’t necessarily have the right protocols in place and so they prey on them for that. So having solutions that drive that level of awareness, give them the information that they need to know to protect their business and be compliant I think is really important as it relates to data breaches.
Bob Butler
Here at Payrix we’ve seen growth volume growth in that 100%-200% a year over the last five years. If you really think about security best practices, what have you seen implemented when our partners go live with a PayFac-as-a-service product?
Billi Jo
Yeah, I felt I would just start with some statistics related to security breaches. So in 2022, there were over 1800 publicly reported data breaches. That included 422,000,000 people being impacted as a result of those data breaches and it was a 41% increase year over year. And with the average cost of a data breach with an impacted company being around $4,000,000. So data breaches are a real problem in the industry and some of the most common causes of these data breaches are things like compromised credentials. So that made up 45% of the causes related to data breaches, phishing attacks were 18% of that, and then exploited vulnerabilities.
So known software vulnerabilities that weren’t updated were at 9%. So these are some pretty basic things that lead to data breaches and so if you think about best practices as it relates to being able to fight off some of that, multifactor authentication (MFA) it helps keep data and systems secure by adding roadblocks that stop bad actors in their track. So basically it makes it harder for them. They have to be able to authenticate in more than one way. So even if you have a compromised credential the hacker would still really need to have a second and third authentication factor in order to gain access. So without having that kind of requisite number of authentication factors they can’t access your resources. And just to give an example of how bad that can be when someone is able to enter into your platform, in May of 2021, there were hackers that installed ransomware on a company called Colonial Pipeline. I’m not sure if you remember that Bob. But it was essentially the largest reported ransomware attack in history and the hackers literally locked the company out of their own system and completely shut down their operations and demanded money in order to regain access. And this attack is well known because Colonial was the largest pipeline in the US that supplied fuel to basically most of the East Coast.
Eventually Colonial paid the ransom. They regained their operations but the crazy part about that entire process was that the hackers were able to do this through a single password compromise through their vpn system. So MFA is really important. But just to go over a couple of other best practices. User access management, ensuring that the people that have access to your system have a business purpose to have access to your system, keep your systems up to date regarding security patches and using Antivirus Software to scan for vulnerabilities, education and awareness are probably very underrated. And you know I think most people probably really delay doing their security training. But it’s really important. It reminds people of the very basic things that lead to these compromises. Don’t click on a hyperlink if you don’t know the source, if you don’t recognize the email, don’t share or write your passwords down when you’re using wi-fi in a public or unprotected area. Don’t access your system that contains sensitive information. And then lastly, the thing that I would recommend is there’s quality qualified security assessors – so QSA’s. Software companies that merchants can work with that help them understand their environment and potential vulnerabilities and also recommend what controls they need to have in place to give them that ultimate peace of mind.
Bob Butler
So what are the biggest mistakes in our example, like a vertical software company. What is the biggest mistake they can make when it comes to security?
Billi Jo
You know I think it’s underestimating the level of importance that they play in that whole ecosystem and not really understanding how fraudsters can attack via their platform. And so even though they may not be directly involved in the storing of sensitive information, they could be used as the gateway to either gain access to sensitive information or introduce fraud into the payments ecosystem. Whether it’s people that they do business with or third parties that they do with. There’s an example of a very popular retail company that probably everybody frequents on a weekly basis that their compromise originated through a third -party HVAC vendor that was able to gain access through compromised credentials again, and installed malware to gain access to their credit card information. So I would say that’s probably one of the biggest mistakes.
I would also say underestimating the significance that their customers play in protecting cardholder information. So, the majority of the breaches that I talked about that were reported in 2022 were small businesses, and so it’s really important that providers can reduce the overall PCI scope. So somebody like Payrix or other PayFac-as-a-service providers, they help reduce that by encrypting information by encrypting card numbers. But it’s a reduction, it’s not a complete pass when it comes to their responsibilities to protecting card data and being able to demonstrate PCI compliance and so I think it’s just really important that there’s tools that are enabled to help drive that level of compliance.
Bob Butler
Billi Jo it’s been great having you here today. Any last pieces of advice you’d like to leave for a software company?
Billi Jo
Stay diligent. Be extremely thoughtful about when it comes to security and not underestimating the damage that a security breach can have on your company or your customers. And then really just thinking about what that overall desired experience is and making sure that you have a provider that’s willing to work with you, that is willing to talk with you and willing to plan what your overall objectives are as a software company.
Bob Butler
Well Billi Jo, I really want to thank you for being on the show. Having spent quite a bit of time with you over what’s coming up on 15 years, I know we’re both big believers in sharing knowledge and experience. So again, I really appreciate you joining us here today.
Billi Jo
Thanks Bob.
Bob Butler
We want to be a trusted resource for software providers who are out there trying to make sense of embedded payments and finance. And to help them get the education they need to make the business decisions their customers and investors will thank them for.