Entries tagged with “Regulation”.

If you’re a member of one of the many wonderful direct sales organizations you know how important it is to have an effective payment solution. Even with amazing products your sales performance can be negatively impacted if the payment portion of your buying experience is lacking.

ProPay works extensively with direct selling organizations, is an active member of the Direct Selling Association, and understands the unique needs of this progressive market. If you’re new to direct selling or haven’t considered the importance of a solid payment partner, we’d like to share a few thoughts.

Seize the moment – Regardless of which type of direct selling organization you’re part of, they all share an element of timing. Whether it’s starting someone on the path to building their own business or providing a real-time opportunity to purchase products they’re excited about, nothing is worse than clumsy or broken payment processes derailing a positive experience.

Credibility – Sometimes potential customers are unsure about doing business with a direct selling company. Creating confidence is essential at these critical times. Scribbling down credit card numbers or fumbling with manual data entry doesn’t instill confidence and can create concerns for potential customers.

Access to funds – It’s frustrating to have your commissions locked away in some confusing back office process leaving you waiting weeks or months to get access to your hard-earned funds. ProPay offers solutions that can provide near-instant access to your commissions.

A partner who gets it – As mentioned above, ProPay is a veteran of the direct selling industry. We know the business and all it’s variations better than anyone in the payment industry and have proven our value over the years to the largest and most respected direct selling organizations.

As a direct seller you’ve selected a company you believe in with products you feel passionate about. It’s important to apply that same level of consideration to your payment partner. ProPay is the payment partner you can believe in.

Click here to learn more about our solutions for direct sellers. Call 888.227.9856 or email sales@propay.com.

You may have seen headlines (small ones, but headlines nonetheless) regarding the re-authorization of the Safe Web Act.  The full name of the act, which is far more descriptive of its actual function, is ‘‘Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act of 2006.’’  As implied in its title, the bill was originally passed in 2006, but was set to expire this year unless it was re-authorized.  On Dec. 7, 2012, President Obama re-authorized the act until 2020.  So does this mean that the web is now safe all the time for everyone?  No, but it allows the Federal Trade Commission certain powers that enable them to find and prosecute scammers, even if they are not domestic criminals.

The main thrust of the act is to allow the FTC to go beyond the US borders when investigating online criminal activity, especially as related to consumer protection. the act empowers the FTC to share information about scams and the criminals behind them with foreign law enforcement agencies.  Previously, the FTC had been restricted to sharing only with other US agencies.  Additionally, the FTC is empowered to aid foreign agencies in the investigation of online scams.  Further, the FTC will have the right to get information from foreign agencies.  The law provides “enhanced investigative and litigating tools” to the FTC to allow them to pursue investigation and actions more effectively.

This is not a complete summary of the law, but it does allow consumers to know that the FTC takes online scams and fraud very seriously and has been empowered, through 2020, to pursue these criminals even if they are not within the boundaries of the United States.  As Mary Bono Mack (R-CA), the bills lead sponsor says, “This is a win-win. It’s good for American consumers. It’s good for the future of e-commerce. And it’s the right thing to do for our nation and our friends around the world.”

In discussions with small merchants about the Payment Card Industry Data Security Standard (PCI DSS), it is clear that there is still some confusion surrounding exactly what payment acceptance channels must be in compliance with the standards.  It is not uncommon to hear merchants suggest that PCI DSS only applies to online payments.  That can be a very unfortunate misconception.  All payment acceptance channels must be compliant with the PCI DSS.  Depending on how many transactions you process annually, you may not be required to validate compliance, but being in compliance is always required – for every payment channel and every merchant.

As a small merchant, think about all of the different ways that you might take payments.  You might have a customer that calls you and asks to place an order over the phone.  How do you process that transaction? Do you save the card number in a spreadsheet (please don’t save the number in a spreadsheet)?  Or do you enter the number in a virtual terminal so that you can securely process the payment and save the information for later use?  Do you have a website through which you accept orders?  Do you accept payments in a face-to-face context using a mobile payment device?  Each of the ways that you accept payment must be compliant.

It’s rare to find a merchant that doesn’t require multi-channel support from their merchant service provider.  It’s important to find a service provider that meets all of the needs of your business model.  More importantly, merchants should seek out service providers that can support and maintain compliance for each of those channels.  Merchants should ask probing question about how the transaction is secured, how the data is stored, and how long the company has been providing compliant services.  More importantly, merchants should have a full understanding of where the liability lies in that there is a data compromise.  If you’re storing numbers in a spreadsheet and your laptop gets stolen, that is considered a compromise under PCI DSS and the fines, fees and penalties can flow to you, the merchant.  ( You can read about Visa’s penalties here)  If you’re using a registered, compliant service provider to support your business, and you’re not storing the data yourself, the service provider has the liability for any compromise of that data.

It’s very important to understand the chain of liability when selecting a service provider, and even when selecting specific services from that provider.  For more information about how PCI DSS impacts small merchants, you can check out the Payment Card Industry Security Standards Council (PCI SSC) resources for small businesses.

When it comes to PCI DSS there is no secret that there is a lot of confusion.  Surprisingly, one of the most confusing aspects seems to be who is responsible for enforcement of the standard.  Is it the acquiring bank, the PCI SSC, or the card brands?  Do state level governments get involved?  What about federal?  It’s not uncommon to hear merchants ask the question “why are you making me do this?”  Here, hopefully, is an explanation that can help clear up some of the confusion.

The Payment Card Industry Data Security Standard, commonly referred to as PCI DSS, is managed by the Payment Card Industry Security Standards Council (PCI SSC or simply “the council”).  The Council is responsible for working to create and manage the standards, ensure that they are disseminated appropriately and for training and accrediting Qualified Security Asessors, or QSAs.  The Council does not conduct assessments, nor do they enforce the standards.  While they play a critical role in the industry, they do not determine the consequences of non-compliance.

Acquiring banks or merchant banks are often cast in the role of the enforcer, but this is an oversimplification of the complex nature of the industry.  The acquirers, just as merchants, are bound to adhere to all card brand operating regulations.  Part of those rules require the banks to ensure that their merchants are also in compliance with the card brand rules, including the PCI DSS and related standards.  Fines for non-compliance are passed through acquirers to the merchants.  In other words, the card brands impose fines on the acquirer for non-compliant merchants.  The acquirer then passes that fine on to the merchant.

Ultimately, though, it is the card brands that are responsible for the enforcement of the PCI DSS.  Each of the major card brands has their own security programs with different process for dealing with non-compliant entities and with entities that have suffered a breach.  Here are the links to each of the programs

It is important to note, though, that some states have passed laws mandating PCI DSS compliance.  As of January 2010, all companies that collect or transmit payment card data in Nevada have been required to comply with the PCI DSS.  Penalties for non-compliance include civil action, paying restitution and even injunction.  In 2010, the state of  Washington  also passed a law requiring PCI DSS compliance.  Minnesota has codified portions of the PCI DSS in its Plastic Card Security Act.  As of yet, the federal government has not passed a law along these lines, but various regulations and the charter of the FTC mean that, in the event of a breach, the federal government may be involved as well.

The best defense against these regulatory headaches is simply this – to the extent possible don’t store the data.  For those that need to facilitate payments, there are solutions that would allow you to do so while minimizing the amount of data that is stored, processed, or transmitted.  Merchants are well-served to investigate these solutions in order to minimize their liability, and in some cases even to reduce their costs.

Those that are familiar with this blog may have heard it said more than once that the United States lags far behind Europe with respect to the protection of consumer information.  The European Union, in fact, has been operating under the penumbra of the European Directive on Data Protection for 15 years.  The EU actually recognizes the protection of personal data as a fundamental human right.   That is a far cry from the legislative activities surrounding data privacy in the United States.  The US has traditionally take piecemeal approach to data protection, often leaving the regulation of data privacy and security to the states, and in some cases to individual industries.  Given the political culture of the United States, such an approach is not terribly surprising.  However, the rapid advancement of technologies has perhaps been enough to spur the federal legislature into evaluating the lessons of the EU directive to see if, or how, similar regulation might work in the US.

On Friday, Sept 16th, the House Energy & Commerce Committee’s Commerce Subcommittee will be holding hearings on the issue of privacy, and specifically the impact of the EU regulations.  In Rep. Bono-Mack’s published opening comments, she states “The purpose of the Directive is to harmonize differing national legislation on data privacy  protections within the European Union, while preventing the flow of personal information to  countries that – in the opinion of EU regulators – lack sufficient privacy protections.”  She goes on to discuss the large number of unintended consequences of the regulatory regime.  To be fair, unintended consequences are almost always found the in wake of new legislation, particularly such sweeping legislation as the EU Directive on Data Protection.  It should be noted, though, that with 15 years of implementation history and lessons, the US should be able to draw sufficient parallels without also reaping the same number of “unintended consequences.”

In looking at the purpose of the directive one can immediately see the attraction of such a regime in the US.  As stated by Rep. Bono-Mack, the purpose is to “harmonize differing … legislation on data privacy…”  In looking at the domestic regulatory landscape surrounding data privacy and protection, it is difficult to conclude that some “harmonizing” would not benefit both businesses and consumers.  As of this writing, more than 45 states have data breach notification laws.  While there are some major commonalitites to these laws, there are also significant variations.  There are differing definitions of “personally identifiable information,” “breach,”  “trigger,” and other critical terms.  Some states include data security protections in those laws, while others have separate laws for data security, and still others have no laws regarding data protection and security.  The situation becomes even more confusing when one considers the federal legislation impacting privacy and security (FERPA, HIPAA/HITEC, GLBA, SOX, etc) and industry self-regulating programs.

While there are some concerns that tomorrow’s hearing is too slanted towards industry, ignoring or downplaying the concerns of consumers, I believe that it is a positive step. Bill McGevern, professor of law at University of Minnesota does bring up an interesting point, though.  That is the different conceptions of data privacy between the US and Europe.  According to McGevern, Europeans think of privacy as a fundamental human right, while Americans (and particularly American businesses) conceive of privacy as a market force with which they have to deal.  That being said,  this author does believe that it is possible to create a European-style privacy directive that accounts for American sensibilities.

Dr. Heather Mark, PhD; SVP of Market Strategy