A managed services provider (MSP) is likely well-versed in cybersecurity; however, payment security might be a less familiar topic. Payment security involves measures that protect financial transactions and sensitive data from unauthorized access, fraud and other threats. It's crucial for maintaining the integrity of financial transactions, ensuring smooth business operations and protecting both clients and MSPs from significant risks.
Payment security as a term broadly refers to a set of protocols, technologies and practices that protect the integrity of financial transactions within a business. These measures are designed to prevent fraud, theft and unauthorized access to sensitive customer data, both during and after transactions. There are multiple defense mechanisms that can be put into place to secure financial transactions and protect customer information, including:
The vast majority of organizations in every sector that transact B2B business accept electronic payments, and that number is only expected to grow. Over 80% of businesses in a survey said that they are investing or planning to invest in B2B payment technology for accounts payable (AP) in 2024.
It’s an investment that makes sense. In the hustle and bustle of today’s business world, no one has time to spend tedious hours writing paper checks or balancing a checkbook. B2B payments are expected to make up over 70% of all virtual card payments by 2026. It has become much easier for even the smallest business to accept electronic payments thanks to services like Square. There’s no need for a company to go through the old cycle of calling a client for an overdue invoice, waiting for a check in the mail and then calling again when it doesn’t arrive. Instead, it can all be handled through one quick electronic transaction, even over the phone or outside the office.
Many of those payments will be processed through networks that an MSP maintains, creating risk that an MSP unfamiliar with payment security may not have factored into its defensive plan. That added digital risk makes solid payment security mission-critical for MSPs and their customers. Cybercriminals are hungry for payment card information that they can leverage to facilitate identity theft or sell on the dark web. Security.org estimates that 60% of U.S. credit card holders have been victimized by fraud, and 45% have experienced fraud multiple times. The desirability of payment card information and the subsequent rise in cyberfraud has led to the adoption of standards that aim to protect that type of sensitive data.
The Payment Card Industry Security Standards Council (PCI SSC) was formed by major credit card companies (Visa, MasterCard, American Express, Discover and JCB) to create a unified payment security standard. They launched the first Payment Card Industry Data Security Standard (PCI DSS) in 2004, detailing comprehensive requirements for payment security, including management, policies, procedures, network architecture and software design. The latest version, PCI-DSS 4.0, was released in 2022. While PCI-DSS compliance is not legally required in the U.S., it is mandated by contracts between merchants and their payment service providers, card networks and banks.
Payment security is an area that is often overlooked by MSPs. After all, a company’s MSP is not its credit card processor and certainly should not be. However, a company’s payment card transactions are typically sent through devices that are attached to the networks that MSPs maintain. That connection means that MSPs are involved in their clients’ payment security already, even though there are parts of it that the MSP has no visibility into. This is a huge problem for the industry.
Payment card information security is a thorny problem for MSPs. Why? Businesses need to be able to rely on their MSP for all their digital security needs, including payment security. However, PCI DSS is a complex standard. There isn’t an existing effective tool for mitigating PCI DSS risk, and an IT staffer can’t just do a crash course in PCI DSS by doing some research and watching some videos. An MSP needs to employ or consult with a person with expertise in PCI DSS to handle compliance and risk which is an expensive proposition.
Companies may assume that their credit card processor is already handling this part of payment security. After all, they see line items about compliance fees on their merchant statements and get communications from their merchant processor that mention PCI compliance. But looking a bit more closely unveils the truth: the business is actually paying a non-compliance fee that can range as high as $100 every month. Credit card processors don’t have any incentive to help businesses become compliant either. An estimated 80% of businesses are not PCI DSS compliant, and the added fee they pay monthly adds up to a lot of revenue for credit card companies.
Merchant processors, as well as major card providers like Visa, Mastercard, Amex and Discover, don’t actually handle payment security. Instead, they all shift responsibility onto the businesses they serve without making that clear. Then, they slap on a non-compliance fee without explanation. By paying it, a business essentially admits that it is not PCI DSS compliant. So, if a breach occurs, the business is culpable and could potentially lose a cyber liability claim.
Many processors like Stripe provide a wealth of information to help their clients understand payment security and how to build a strategy to mitigate it. But that information is typically highly technical. It doesn’t help most non-tech stakeholders understand what needs to be done to become or maintain PCI DSS compliance. Instead, businesses rely on a trusted digital risk expert to take care of it: their MSP.
Payment security and PCI DSS compliance isn’t something MSPs or their clients can ignore. Any business that processes electronic payments, and its MSP, if it has one, is already on the hook for compliance and data security liability as soon as it enters into a processing agreement.
But MSPs don’t have to go it alone when securing their clients in a complex area that requires specialized skills like payment security, especially when they’re starting out at a disadvantage because of limited visibility. Secure Payments is a trustworthy partner for MSPs to turn to for efficiently managing their downstream clients’ payment security without adding more work to their plates.
Deploying Secure Payments is easy, and administration is almost hands-off for the MSP.
To sweeten the pot, for every client that switches to the Secure Payments environment, the MSP receives a small rebate. Depending on the volume of processing the client does, this can become a healthy new profit center for an MSP. Take a look at the game-changing effect opening up this new revenue stream had for Feller Payments in this case study.
Of course, the most important benefit of partnering with Secure Payments is that MSPs and their clients can rest easy knowing that Secure Payments has their PCI DSS compliance and payment security handled.
We’d love to talk to you about how Secure Payments will benefit your clients and your MSP. Book a call and let’s connect!