In our view PCI (payments card industry) is a thinly veiled lobbying arm for the payments industry to ensure that players in the payments ecosystem make more money. They hide behind a guise of security, but really there are much better ways to safeguard payment transactions than paying hundreds of thousands of dollars in compliance costs (we have the same view of SOC and the myriad other certifications).
Merchants that accept cards must go through the rigamarole of PCI DDS, and if they’re large enough that rigamarole is onerous.
Broken in four levels, PCI certification comes with different flavors of nonsense.
This chart from VGS shows you the levels and the relative work in satiating the compliance.
Merchants that process more than 6 millions transactions annually must become PCI Level 1 compliant, which runs about $1M and can take a year. Ongoing costs are in the hundreds of thousands of dollars annually.
Let’s look at the true cost of a large restaurant as an example.
Chris DeSaye, the former VP of IT at Hillstone and MML, walked us through his experience at Hillstone.
By transaction count Hillstone was required to be level 2 certified but undertook a level 1 certification. The operating procedures and costs were material. We hired a full time person dedicated to security. We created logs that documented when any person entered our office premises, installed cameras, wrote hundreds of pages of operating guidelines, and made serious technical changes to how our IT systems were used across our employee base.
Chris DeSaye
All-in Chris explains it was more than $1M in costs and expanded overhead considerably.
What’s particularly interesting in the nascent world of payfacs is that payfacs acts as the merchant of record. Under this framework the payfac bears the brunt of PCI compliance on behalf of the merchant.
If you’re a level 1 merchant, the compliance savings would be material.
Caleb Avery, CEO of Tilled, shares that payfacs often shield level 3 and 4 merchants from SAQ and do, in effect, become their compliance shield. “Companies like Stripe and Tilled also offer technology to help merchants (and ISVs) minimize PCI scope through tools like embeddable JavaScript elements that control the fields for sensitive credit card data entry,” says Avery.
But it isn’t clear where the payfac can or should assume the PCI compliance risk for larger merchants.
Susie Maxwell, Director of Business Development at MaxPCI, explains that the ultimate responsibility of PCI compliance is a decision for the merchant acquirer to make; payfacs are built on acquirers so this issue would lie with the acquiring backend in question.
Ultimately, I believe the acquirer would be the decision-maker; however, even if they do not require it from a level 1 sub-merchant, the PayFac would still need to make the decision because of the liability issue. To further complicate things, it is entirely conceivable that one acquirer may not require it, but another will.
Susie Maxwell
In theory if the acquirer blessed the merchant-payfac relationship then the payfac could decide to take on the risk of a level 1 merchant.
All this to say that processing through a payfac could eliminate massive compliance overhead, even if the rates are nominally higher. And of course, there’s always the joy that comes with receiving a monthly statement without a nonsense PCI compliance fee.
Sounds Risky… Right now it seems like a gamble, but lets say you could magically eliminate the costs of being level 1 compliant to the merchant and pass that liability to a Payfac. This would be a huge gamble for Payfacs to assume the risk of a breech. More like company destroying gamble.