B2B Payments – Where’s the Risk?
In a 2014 the AFP (Association for Financial Professionals) Payments Fraud and Control Survey to review the fraud experiences of US B2B organizations – check fraud was the number one source of payment theft. Credit Cards are number 2.
The EMV conundrum and pending liability shift this October is irrelevant in the B2B level 3 payment processing and CNP (card not present) environment (remember, if you are processing credit card payments on a desk top (EMV) terminal – your transaction will not qualify for level 3 processing rates). To obtain that level 3 discount, payments must be processed on a certified level 3 payment gateway. This is not a gray area.
How can a B2B merchant mitigate payments risk then? A few tips –
Convert from check to electronic payments. B2B merchants continue to balk at this conversion citing migration/infrastructure (see From Paper to Electronic – What’s Really Broken in B2B by Zoya Lieberman) as well as card acceptance costs, and like all businesses, they are overwhelmingly focused on the job at hand – revenue generation and operations. Change can be hard.
It’s well established however, that handling paper data and invoices, manpower required, manual reconciliations and errors, and the bulkiness of the paper process – is seriously inefficient and damn costly – and flat out no longer entails best practices in payments. The advent of level 3 payment processing discounts by the card brands does away with the card acceptance cost objection, and API now makes the marriage of payments and ERP more than just a pipe dream. Electronic payments are the unequivocal future of B2B – time to make the move.
When you do convert – your risk mitigation strategy should definitely include the following-
1- PCI DSS Compliance – All organizations processing credit card payments should embrace the recommendations of the PCI Data Security Council and must take the PCI DSS SAQ annually to verify compliance. This should be every company’s foundational effort to mitigate risk and fraud in credit card payments. PCI DSS compliance is not optional. Further, the Security Council, comprised of the major card brands – provide many recommendations for additional fraud tools –as do the card brands themselves. Why not use them?
2. Encryption – is a pre-authorization security tool. From the time the B2B merchant enters the PAN (primary account number) into the virtual terminal and payment gateway – and through to the client server and card network/processor, the number is “in the clear” and at risk. Encryption uses algorithm schemes to convert the PAN to an unreadable form or cipher text. A key (maintained by the processor in a “vault”) is required to unencrypt the PAN and the transaction can then be authorized. This is a real time process.
3. Tokenization – is a post authorization security tool. In Card Not Present News, a 2015 article MasterCard, Visa Invest in Enhanced Security and Fraud Prevention quotes Visa CEO Charlie Scharf referring to Tokenization as “one of the most innovative and promising technologies we’ve seen in decades”.
With tokenization – The PAN is sent to a centralized and highly secure server called a “vault” for storage and the processor returns a token to the merchant in lieu of the PAN with the authorization response. Tokenization is the replacement of the sensitive data with surrogate, random and unique data that can be used by the merchant for transactions, returns, marketing analysis, recurring payments, etc.
There is a secure cross-reference table that allows authorized look up of the original PAN using the token as an index. With no access to the vault, the token value is meaningless if/when stolen and can’t be used for a monetary transaction. Tokenization takes the burden of card data storage off of the merchant and reduces the scope of PCI DSS – all while maintaining a smooth flow of existing business processes.
Merchants should only use a level 3 certified payment gateway with both encryption and tokenization. While I’ve only provided a limited description here for brevity and simplicity sake – these two tools are a no brainer.
4. Establish a “Risk” team – with at least one C-level Executive – to develop and implement strategies and responsibilities to minimize the risk involved with payments as well as any other sensitive data used or maintained by your corporation, and what actions to take in case of a security breach.
B2B merchants that embrace these changes and tools, will go a long way towards establishing secure, efficient payment processing.
Hopefully, the electronic payment providers you work with are proactive in keeping you up to date with the latest technologies to reduce PCI DSS scope and liability – because the result of working with a complacent provider?