PCI Compliance: What Does It Mean to Collection Agencies?

PCI Compliance: What Does It Mean to Collection Agencies?

Next to making calls, payment processing is the most important thing we do at a collection agency. Agencies should have multiple avenues for a customer to set up and make payments – the easier and more options the customer has, the more satisfied the customer will be. In order to accept electronic payments, agencies must be in compliance with all banking and collection regulatory rules; PCI and regulatory compliance must be maintained through continued monitoring of new legislation, opinions, and pending legal decision. Training employees about the regulations and payment options available to the customer is also critical to success. Finally, due to the risk profile of our industry, choosing the right merchant processor is vitally important. Anymore it is not enough to just have the infrastructure to accept and run electronic payments – agencies must keep a pulse on regulation and new payment options to stay competitive and satisfy the ever-changing needs of consumers.

What is key to maintaining payment information security (PCI DSS, etc.)?
Payment Card Industry Data Security Standard (PCI DSS) compliance is something any organization can successfully achieve. The latest version, PCI DSS 3.2.1, has been in effect since June 2018 and aims to drive organizations to not only consider security measures when dealing with payment card data, but also build security practices into their daily operations. To prevent unauthorized data access, keep the storage of sensitive data to a minimum and implement technologies to encrypt data at rest and data in transit. When encrypting, use strong and validated cryptographic keys and algorithms, and ensure the keys used for unencrypting the data are tightly controlled and protected.

•  Regularly Test Security Systems and Processes
Data protection must be managed on an ongoing basis and built into an organization’s daily business operations. New vulnerabilities appear constantly, which means agencies must always be attentive; use a risk-based approach to continuously identify, routinely assess, and swiftly resolve security threats to processes and systems in a timely, cost-effective manner.

•  Maintain a Vigilant Policy Compliance Program
Auditors require evidence of how organizations are meeting the requirements of multiple regulatory mandates, industry standards, and compliance frameworks. Maintaining a vigilant policy compliance program enables companies to reduce risk and continuously provide proof of compliance. Additionally, a policy compliance program helps identify and assess key security settings in your systems, which expose new security-related issues and promote discussion for new or revised policies and procedures.

•  Train Your People
More than technology or policy, it’s the people in your organization who have the greatest influence on successfully maintaining a strong security posture within an organization. The threat is not always disgruntled workers or corporate spies; it is often the unwary, careless employee who can do harm to your network by visiting websites infected with malware, responding to phishing e-mails, storing their login information in an unsecured location, or even giving out sensitive information over the phone. The best way to make sure employees will not make costly errors regarding information security is to institute company-wide security-awareness training initiatives.

What is something lesser-known about electronic payments all collection professionals should know?
Payment type affects not only the cost to the agency in order to process the payment, but also when the transaction will clear a consumer’s account. If a consumer chooses to make a payment via a credit card, the interchange fees charged are generally higher than if a consumer pays via a debit card. This fee will fluctuate depending on whether a consumer uses a reward credit card, a low-limit new card, a check-by-phone, an ACH payment, etc. There are no “standard” hold periods in the payment industry, so how quickly payments clear depends on the financial institution and the payment method used by the consumer.

Bill Atkins is Director, Infrastructure and Tech Support at CBE Companies