December 28, 2017
By Barton “Chip” Bright, General Counsel and Chief Compliance Officer, BillingTree
This year was the first time in the five years of BillingTree’s ARM survey that online portals (84 percent) moved ahead of live agents (80 percent) as the most common form of payment offered by processors. The change, driven by millennials who want to send and receive payments within twenty-four hours using smartphones and other mobile devices, brings with it more complex compliance challenges for payment providers. Four key areas of compliance should be top of mind for any organization looking to adopt card-not-present channels to meet the demand for digital payment options.
According to Dave Yohe, vice president of Marketing at BillingTree, the financial services industry is the number one target for hackers and, unsurprisingly, an area where consumers expect their data to be secure. A single breach can sink a company—especially smaller organizations. Damage to reputation aside, the average cost of a data breach is $4-6 million—a cost much higher than the investment needed to remain PCI compliant and something that is imagined to be much more complicated than it truly is.
2017 was the first year that PCI-DSS required a self-assessment, which has had the knock-on effect of putting compliance front and center for merchants. If an organization answers “no” to any of a series of yes-or-no questions, they are required to state the future remediation date and associated action to avoid being penalized, this will then be monitored to ensure it is carried out.
Consumer expectations are constantly changing and providing the payment options they demand can be a huge investment for companies. When adopting new technologies such as mobile payments and IVR, ensuring your company remains compliant with applicable laws, rules and regulations is essential, especially with the increasing pressure from regulators.
Reg E protecting the consumer
Regulation E provides a basic framework that establishes the rights, liabilities, and responsibilities of participants in “electronic funds transactions” involving ACH payments and debit card transactions. Rule-making is shared between the Federal Reserve and the CFPB, but with increased scrutiny from the CFPB has come more confusion among collectors as to what type of transactions are covered by Reg E, as well as how it applies to recurring payments.
In simple terms, if funds are being collected directly from a deposit account, then Reg E applies. An “account” in this instance is defined as any “demand deposit, savings deposit or other asset account established for personal, family or household purposes.”
Fear of Reg E litigation has caused some organizations to revert to paper-based payments, but that doesn’t need to be the case. With plentiful documentation and numerous specialists now in this area, understanding Reg E is no longer a time-consuming enigma, leaving organizations free to concentrate on their core business objectives.
Sign on the digital line
Another confusion frequently experienced by some organizations is the interplay between the Electronic Funds Transfer Act and E-sign. However, it should be understood that E-sign is simply an electronic means of satisfying certain notice and signature requirements of the Electronic Fund Transfer Act (EFTA), affording both service providers and consumers the luxury of eliminating paper communication. In contrast, the EFTA is a federal law enacted in 1978 to protect consumers when they use electronic means to manage their finances.
E-sign does not alter or limit any existing disclosure requirements, it is simply a prescribed method for replacing wet ink signatures on paper documents with an electronic alternative, allowing records to be kept electronically. The intent being that contracts and legally required notices may not be denied legal effect, validity or enforceability solely because they are in electronic form.
E-sign refers to all legally required communications with a consumer, not just payments. The basic requirements of E-sign are as follows:
- The consumer must consent to receive legally required disclosures electronically
- The consumer must be informed of his/her right to receive such disclosures in paper form and any associated costs
- The business should identify whether or not the consent relates to a particular transaction (such as account opening documents), or to ongoing disclosures over the course of the parties’ relationship (for example, account statements)
- The consumer must be informed of his/her right to withdraw consent to electronic disclosures, and the process and terms for such withdrawal
- The business must provide a method for updating the consumer’s contact information
- The business must provide the consumer with the hardware and software requirements necessary for communicating electronically
- The consumer must confirm consent electronically in a manner that reasonably demonstrates the consumer’s ability to receive or access necessary communication electronically
As digital becomes the norm, E-sign will minimize risk and differentiate a business over others still only offering wet signatures and paper disclosures.
Phone payments—different cards, different requirements
When collecting a payment over the phone, different payment data needs to be stored depending on the type of card being used and the type of payment being made.
One-time debit or credit:
- Oral call recording is accepted, and records of authorization need to be kept for a minimum of 2 years.
- Can be authorized with call recording—same process as one-time payments.
- Can also be in writing but does not necessarily need to be signed.
- Subject to: Reg E, EFTA and the interpretation of these according to the CFPB
- Requires written authorization which must be signed—organizations think that payments are less likely to be made if a consumer has to sign in ink and return a letter and this is a key driver behind E-sign.
To remain PCI compliant when recording a call, you need to ensure the card number and CV2 aren’t captured together. New technology is able to mask card numbers, but if using legacy phone technology, you need to make sure you don’t capture the card’s CV2. If there is a need to collect both, the two details need to be encrypted and stored separately.
Some processors have the ability to distinguish whether a card is debit or credit by its first few digits. Others can’t, so it needs to be in your script to ask what type of card they are using. If you have done your part by asking, the law gives you a safe harbor if the customer then gives you the wrong type and you haven’t carried out all the relevant checks. In any event, you should record the call and keep a record of the consumers’ consent.
Not so convenient fees—check before you charge
Convenience fees are anything but convenient, for both the processor and customers. It’s not just different states that have different policies, different card processing networks do too. The process is used to offset the cost of payment processing by charging customers for the privilege of using an alternative payment channel, or a payment method that is not standard for the merchant—be aware, this means you can’t charge the fee across all channels.
The number of merchants charging this fee is dropping—for the second time in five years, the BillingTree ARM survey found that a majority of agencies were not collecting convenience fees, nor were they planning to do so. As paying with plastic is no longer seen as the convenient option but the norm, it’s not surprising that many consumers are against the fee and by charging it you could alienate potential customers.
If you are going to charge a convenience fee you need to check the laws in the state you are based in and in the states where you operate, as well as the states where your consumers reside.
Keeping up with compliance
These are four key areas to check carefully to help you stay compliant, but as always, make sure to check with your compliance experts to ensure that your business is operating within the bounds of applicable laws, rules and regulations. When deciding on who to trust with processing your payments you should check they maintain reputable payment technology, a focus on compliance and the correct certifications – check they have appropriate PCI-DSS, HIPAA and SSAE-16 certifications and audits.
There are thousands of options organizations can choose from when embracing new technology, but at the end of the day there is no point in implementing the latest and greatest tools, if your business is going to be shut down for compliance violations.