By Susan Kohl
As a software vendor, do you know what is required for your application to accept payments and be compliant with industry regulations? In order to understand the requirements independent software vendors (ISVs) need to determine which category is applicable to their business model.
Table 1: Software Provider Categories
As illustrated in the table above the requirements vary based on the business model which is representative of the types of services a software vendor provides to their customers. This article focuses on clarifying the requirements for SaaS and hybrid models and can best be summarized with the following steps.
Registration with Credit and Debit Card Brands
The card brands (Visa, MasterCard, STAR, etc.) require “Registration” of all entities providing the following services to the payment industry (referred to as Third Party Service Providers or Agents (TPAs)):
- Solicitation of payment activities
- Chargeback, fraud and settlement management services
- Enabling authorization and/or settlement activities (gateway and hosting services)
- Performing payment encryption management services
- Payment program processing, managing, monitoring and/or reporting (such as loyalty programs)
SaaS ISVs provide services that hosts the software that stores, processes, and/or transmits cardholder data on behalf of their merchant therefore they qualify as a TPA.
The purpose of Registration is to clearly identify all parties that handle payment transactions and/or cardholder data in any way. TPAs must be registered by a card brand sponsor Member. A Member must be a financial institution (aka bank) that meets the criteria of the card brand to sponsor TPAs. We will refer to these Members as a “Sponsor Bank” for purposes of this article. There are many other types of Members not relevant to this article. TPAs can select their own Sponsor Bank or work through their payment processors’ Sponsor Bank to complete the proper Registration.
The table below highlights key information required, at a minimum, from you for the Sponsor Bank to properly complete Registration. Each Sponsor Banks’ Registration program requirements may vary, however some basic information standards are required by all Sponsor Banks as dictated by the card brands operating rules and bank regulations.
Table 2: Registration Information Required
| |
You Provide |
Sponsor Bank Performs |
Result |
| 1. |
Memo describing your business activities related to payments and provide a process flow that outlines incoming and outgoing activity (authorization pass through, settlement points, etc.), third party service touch points.
If possible, request a face-to-face meeting with the Sponsor Bank and/or Processor. |
Review to determine Registration category and how to underwrite the risk and identify what third party companies handle cardholder data
(TIP: Sponsor Banks may not request this, however to avoid confusion on what category you should be Registered as and the risk associated with your business it is prudent to provide such documentation) |
The more clear and concise the business overview and operations the less frustrating and misclassification will occur during your Registration process. |
| 2. |
Application for Registration |
Information used for underwriting and to prepare the card brand specific forms |
In some cases, the TPA may be requested to complete all of the card brand forms rather than a single application. Each Sponsor Bank may differ on their procedures. Inaccurate and/or in complete information may be grounds for denying an application. |
| 3. |
Registration and Application Fee(s)
(Fee range is $10,000 to $25,000)
|
Submits fees to card brand and maintain a small portion for the administrative process |
Fees along with submission of the required documents to the card brands yields “Registration”, if approved. |
| 4. |
List of all principal owners (for non-public entities only)
(TIP: Run a federal and state background check on each of the principal owners first and be prepared to address any known issues.) |
Background checks (criminal, credit, financial)/tax liens |
Ensure the results do not violate company policy for items such as federal offenses and related financial crimes. |
| 5. |
Financial statements and tax returns (most recent year and 1 -2 previous years) |
Financial analysis to determine credit and financial risk |
The analysis may yield a required reserve and/or principal owner guarantee to cover risks that may exceed credit and financial ability. |
| 6. |
W-9 (Tax ID) |
Run a company background check |
May be denied Registration if the company Tax ID and business existence cannot be validated |
| 7. |
Business License, Declaration of Corporation (non-public entities only) |
Validate business existence and purpose of conducting business |
May be denied Registration if the company existence and business purpose cannot be validated |
| 8. |
Credit check authorization form (non-public entities only)
(TIP: Review credit bureau reports for all principal owners first and be prepared to address any known issues.) |
Perform a credit check |
Derogatory credit information may either pend the Registration process requiring more information from the TPA or a higher requested reserve. The TPA may be denied if bankruptcy or poor credit scores were noted. |
| 9. |
PCI compliance status/validation
(Estimated costs range from $250,000 - $2.5 million, includes implementation) |
Review the list of approved service providers and the PCI status (Global List of PCI DSS Validated Service Providers)
If not listed and/or a Report on Compliance (ROC) has not been provided by the TPA, they will request an action plan to achieve PCI DSS. |
Entities not PCI validated may be denied Registration unless they can provide evidence that cardholder data is not “handled” (stored, processed and/or transmitted) in the TPA environment. |
| 10. |
Other information/forms specific to the Sponsor Bank
(e.g. business insurance verification) |
Varies depending on the information requested; ensure proper liability coverage |
Will vary depending on the information requested. If insurance coverage is insufficient to cover the risk |
PCI Data Security Standards (PCI DSS)
The PCI DSS applies to any entity that stores, processes, and/or transmits cardholder data. It covers technical and operational system components included in or connected to cardholder data. If your business accepts or processes payment cards, it must comply with the PCI DSS.
PCI DSS is an important component of the Registration process, one not taken lightly by a Sponsor Bank and the card brands. TPAs are not only required by the card brands to be Registered; they must also be PCI DSS compliant if they store, process and/or transmit cardholder data. PCI validation requirements vary slightly based on the Service Provider PCI Level as noted in the table below.
Table 3: Service Provider PCI Levels and Requirements Summary
| Service Provider PCI Compliance Level |
Criteria (varies per card brand) |
Requirements |
| Level 1 |
All third party agents that store, transmit, or process greater than 300,000 transactions annually (evaluated by individual card brand) |
1. Annual Onsite Assessment by a Qualified Security Assessor
2. Quarterly Network Scan by an Approved Scanning Vendor |
| Level 2 |
Includes all service providers that store, transmit, or process less than 300,000 transactions annually (evaluated by individual card brand) |
1. Annual Self-Assessment Questionnaire (SAQ) – Version D
2. Quarterly Network Scan by an Approved Scanning Vendor |
For more information about specific card brand PCI requirements review the following websites:
Registration and PCI DSS Costs
Registration as a TPA typically costs between $10,000 and $25,000. Becoming PCI DSS compliant can add up anywhere from $250,000 to over $2 million. As a SaaS provider, you have the option of outsourcing your payment processing, which would eliminate the need (and cost) for registering as a TPA and decrease the burden of PCI DSS compliance.
Susan Kohl is CEO of ThoughtKey, a payment industry boutique consulting firm focused on PCI, regulatory compliance, risk management and expert testimony serving all parties of the payment industry value chain. You can reach Susan via email or phone (678)522-2466 or on Twitter @PCISK.
