By: Sully Perella, Senior Manager at Schellman
As in nature, many elements function together to support the payment ecosystem, which—as a whole—creates what is our largely digital economy. Of course, due to the sensitivity of the information contained within that ecosystem, some elements are subject to compliance with the PCI DSS security requirements.
The standard was updated last year, and we wrote extensively on the effect of the new v4.0 on several different components that comprise the payment ecosystem, including risk management, multi-factor authentication, and legacy systems.
Now that the transition period is well underway, we want to address the effect of PCI DSS v4.0 on another component—payment facilitators (payfacs).
As experienced PCI QSAs, we understand the ripple effect a new version of the payment industry’s flagship security standard has. So, in this article, we’ll explain PCI DSS v4.0’s impact on payfacs and why you should take action now.
Let us help ease your transition to the new version even more—read on.
What are Payment Facilitators?
To provide a bit of background as to our focus, let’s define payfacs first.
A payment facilitator is an organization that supports other businesses (sub-merchants) to accept payments under its master merchant account.
Because they provide payment options to a much larger array of small and mid-sized organizations—called sub-merchants in this context—and work with multiple acquiring banks, payfacs play both a unique and important role in the aforementioned payments ecosystem.
It’s also a more complex role than you may think in terms of security and the PCI DSS, because the payfac remains the merchant of record but it takes on the risk of transactions run by its sub-merchants and behaves like a service provider.
Security Concerns with Payment Facilitators
Risk and its mitigation are paramount issues in payment security. Consumers trust those they pay for goods and services online—not only do any attacks on e-commerce erode that trust but they also:
- Reduce business opportunities for sub-merchants;
- Decrease options for payfacs; and
- Place a higher risk of transaction fraud upon the acquiring banks to resolve.
None of this is good for anyone, and that includes payfacs, who the majority of—in their critical role—provide an iFrame or redirect to support the e-commerce of their sub-merchants. While this isn’t a new way of working within the grand scheme of digital payments, the exploits now being used by attackers on payment pages are.
Unfortunately, cybercriminals have developed new methods to compromise the secure use of an iFrame or redirect—they’ve become able to access e-commerce payments being processed as authorized transactions and determine the cardholder’s name and number. What’s worse is, these incursions are very difficult for merchants to detect and so these breaches often occur without anyone being immediately aware.
How Does PCI DSS v4.0 Impact Payment Facilitators?
In response to this growing problem, the PCI SSC made updates to further secure the controls surrounding payment page scripts:
Short-Term (For any PCI DSS assessment against v4.0 taking place now or ahead of April 1, 2024)
- In a change from version 3.2.1, merchants must now perform ASV scans for pages that provide iFrames or redirects to comply with PCI DSS v4.0.
Long-Term (Must be implemented by April 1, 2025)
- Integrity verification controls over payment scripts must be in place
- Change/tamper detection on payment pages needs to be monitored
How Payment Facilitators Can Comply with PCI DSS v4.0
What does that mean for payfacs? What can you do to both comply with these new updates and also protect yourself better against these threats?
As relayed earlier, payfacs are the merchant of record for these vulnerable transactions. That means that while your sub-merchant customers are off the hook in terms of not needing to establish a relationship with a bank for credit-card transaction processing—as that’s your job—you’re not off the hook for ensuring their security, especially given the changes in v4.0.
If you’re a payfac, you’re likely already being pushed by your sponsor banks to account for your sub-merchants’ security. To help you do so, we recommend the following proactive measures, which, if taken now, will offer security assurances to your sub-merchants, protect your payment channel, and also act as a key differentiator:
- Hold discussions with your sub-merchants and provide clear guidance on your approach to the PCI DSS compliance changes that will be in place come March 31, 2024.
- Include scanning services for payment pages you host.
- Define how merchants can meet integrity requirements using the iFrame or redirect.
Engaging a QSA to Help
Given that the transition to v4.0 is such a big one with many new complexities to accommodate aside from the ones mentioned here, it may be beneficial to enlist experts to help. For PCI QSAs like Schellman, understanding the payment flows and responsibilities is what we do, and our teams can provide a few services for payfacs to make their obligations easier, such as:
- Conducting ASV scans on your sub-merchants.
- Performing automated, routine analysis of payment page security controls (either on the payfac side or the server side).
- Generating a summary report that you can include as a part of your assessment or separately (we can also tailor this after seeing what your sponsoring bank is specifically asking for).
Moving Forward with PCI DSS v4.0
The advent of PCI DSS v4.0 will mean adjustments for everyone in the digital payment space, and to help with the transition, we’ve written extensively on the different aspects and details:
- What Service Providers Should Know About PCI DSS v4.0
- How to Define Time in PCI DSS 4.0
- Decrypting Cryptographic Requirements in PCI DSS v4.0
- Scoping Out Scoping Requirements in PCI DSS v4.0
Because they play such a crucial role in e-commerce, payment facilitators are certainly no exception to this update, and now you understand what specific changes are now required in both the long term and the short term.
As you move forward with this guidance in mind, you may find you have other questions or interest in engaging a QSA to assist more thoroughly—if that’s the case, please reach out to us. Our team of experts remains well-apprised of these changes, having already performed some early v4.0 assessments, and we are standing by to help however we can.