Companies that operate in “money industry” must comply with multiple local, national and international industry standards including proper data protection policy and infrastructure. Most of the time it involves substantial labor and financial resources to keep up with industry requirements and standards. It’s a common practice for companies involved in payment processing to invest significant amounts of capital and wait for almost a year to get certified and obtain all the required licensing and approvals. In this article we will name a few, most common payment industry regulations and standards.
PCI Security Standards Council was founded in 2006 by major credit card brands to promote credit card data safety across the globe.
Maintaining payment security is required for all entities that store, process or transmit cardholder’s data. PCI security standards provide a set of technical and operational requirements for organizations accepting or processing payment transactions, and for software developers and manufacturers of applications and devices.
Build and Maintain a Secure Network
- Install and maintain a firewall configuration to protect cardholder’s data
2. Do not use vendor-supplied defaults for system passwords and other security parameters
Protect Cardholder’s Data
- Protect stored cardholder data
4. Encrypt transmission of cardholder data across open, public networks
Maintain a Vulnerability Management Program
- Use and regularly update anti-virus software or programs
6. Develop and maintain secure systems and applications
Implement Strong Access Control Measures
- Restrict access to cardholder data by business need-to-know
8. Assign a unique ID to each person with computer access
9. Restrict physical access to cardholder data
Regularly Monitor and Test Networks
- Track and monitor all access to network resources and cardholder data
11. Regularly test security systems and processes
Maintain an Information Security Policy
- Maintain a policy that addresses information security for employees and contractors
Card Network/Card Brand Regulations
Companies that process payments are required to meet rules and regulations of payment card brands. Major payment cards associations regularly publish their policy and regulations updates. It can be pretty time and efforts consuming to understand and follow these regulations. Companies working with merchants not only have to cope with these regulations but also promote merchants compliance.
Anti-Money Laundering Program
Anti-Money Laundering Program was developed in terms of the Bank Security Act in 1970. The BSA/AML compliance program must be written, approved by the board of directors, and noted in the board minutes. The board of directors, acting through senior management, is ultimately responsible for ensuring that the company maintains an effective BSA/AML internal control structure, including suspicious activity monitoring and reporting.
Key AML Compliance Components:
- Risk Assessment
- Internal Control
- External Audit
- AML Compliance Officer
- AML Compliance Training
Know Your Customer Requirements
Know Your Customer (KYC) requirement were developed in terms of the Bank Security act and targeted to mitigate financial fraud, money laundering, identity theft, tax evasion and other cases of financial crime.
The KYC requirements outline the guidance for companies to collect, process, store and report information about their clients and potential threats.
Financial Crime Enforcement Network (FinCEN)
FinCEN is a US government organization founded to combat financial crimes. All the companies that operate in the financial sector in the US have to register at FinCEN. The mission of the Financial Crimes Enforcement Network is to safeguard the financial system from illicit use and combat money laundering and promote security through the collection, analysis, and dissemination of financial intelligence and strategic use of financial authorities. Companies registered at FinCEN may be prompted to submit special report addressing any suspicious activity.
Companies that process payments may be also subject to local legislation such as registration and licensing. To cope with various requirements companies may be exposed to additional taxes, fees and audits.
In case a company is involved in the direct money transferring activity, it may be required to meet even more industry requirements such as minimum capital, reporting, IT infrastructure requirements. Most of the time it involves extra capital and labor investments for companies to keep up to date with all the standards and regulations.
Companies that offer payment services may be subject to special tax regulations. In the USA Form 1099-K, Payment Card and Third Party Network Transactions, is an IRS information return used to report certain payment transactions to improve voluntary tax compliance. A Form 1099-K includes the gross amount of all reportable payment transactions. Companies that offer payment services may be liable to file a special report to the IRS for merchants who process transactions above a certain volume.
This was just a glance of what payment processing companies may face. On the other hand, working with a reliable partner for processing payments data, may relieve a company from many of the above-mentioned burdens.
Amaryllis is a reliable partner for PayFacs, Processors, Acquirers, PSPs and other entities, that belong to the payments ecosystem.
To cope with the payments industry requirements and standards Amaryllis offers:
- PCI DSS Level 1 compliance solution
- Advanced in-house authentication, tokenization, fraud detection, instant notification and data protection services
- Comprehensive Onboarding and merchants Underwriting, meeting KYC and UML standards
- Customizable and sophisticated system of reports, reconciliation service and other tools to gather and process intelligence
Please contact sales representatives for more information or to request a demo.