PCI In B2B: 5 Experts Share Trends and Analysis

As B2B eCommerce solutions continue to mature, more and more companies are starting to ask the tough questions. What does it mean to add a digital revenue channel? How do we ensure that the channel is secure, particularly as it relates to payments? It’s time to talk about PCI compliance for B2B companies.

Luckily, many vendors are answering these questions. Their offerings are guided by deep expertise and a real care for their clients. To help educate B2B decision-makers on PCI compliance and what it means for them, we sat down with 5 experts and asked them the following question:

• What trends do you see in PCI compliance for B2B?

Here are their answers.

Justin Benson – CEO, Spreedly

Richard McCammon – Founder, Delego / Craig Lehtovaara, VP Product Innovation

Justin Diana – VP Operations, Corevist

David Curl – Director, Enterprise Accounts, CardConnect

Justin Benson – CEO, Spreedly

Q: What trends do you see in PCI compliance for B2B?

B2B manufacturers often miss out on the advantages of credit card payments, especially for purchases under $10,000. While credit card fees are higher than wires or cheques, time to money and reduced collections headaches can still make credit card payments worthwhile.

PCI compliance concerns are still real, but much has happened in the last several years to dramatically simplify the process of creating simple PCI compliant offerings. If the B2B manufacturer is selling their own offerings, newer payment gateways like Braintree and Stripe can make things simple via a direct integration as with the Magento platform. For those selling in distributed and channel scenarios, offerings like Spreedly can help route transactions to partner’s payment processing, without ever touching the card data.

Whatever the scenario, you most likely still need access to good software developers to ensure the system is integrated correctly. But once those resources are in place, PCI should no longer be an issue holding you back from selling more efficiently at lower price points where applicable.

ABOUT THE AUTHOR

Justin Benson is CEO of Spreedly. Justin began work in the Bay Area during the dot com boom for one of the earliest enterprise SaaS startups, working his way up from their first technical support manager to running sales and marketing at the time of acquisition. Having spent time at a large enterprise technology company, he realized his passion was for startups. He joined Spreedly as CEO in 2011, steering the company through a pivot and then fundraising, and helping build a payments technology platform that is on target to process nearly 100 million credit card transactions in 2017.

Richard McCammon – Founder, Delego / Craig Lehtovaara, VP Product Innovation

Q: What trends do you see in PCI compliance for B2B?

Richard McCammon: Privacy rules will begin to creep into the PCI standards.  Currently, the standards protect cardholder data which, by definition, means the Primary Account Number (PAN) (i.e. card number), the cardholder name, the service code, and the expiry date.  According to the standards, these last three data items must only be protected if stored with the PAN.  Privacy regulations in many jurisdictions (the European Union and Canada being good examples), have established standards for the protection of personal information which includes other identifying data points such as government identification numbers, personal addresses, date of birth, telephone numbers, bank account numbers, etc.  Many of these, such as address, are used when processing credit cards.  In order to support card payments and these new privacy regulations, the PCI standards will expand to include personal information that pertains to payments.

Craig Lehtovaara: As PCI DSS has evolved over the years, it has increasingly become a material component of many budgets. The 3.x release of the specification was more substantial than its predecessor, and it left many IT departments scrambling to bring previously (thought to be) out-of-scope systems into compliance. Many CEOs and CIOs are looking for ways to reduce their rising compliance costs without compromising on security. At Delego, we’ve noticed three trends in the B2B space to reduce PCI DSS scope to mitigate compliance costs.

1. Reducing PCI DSS scope by isolating payment card data entry to the cardholder and only using payment tokens in merchant systems.
2. Using Accounts Receivable Self-Service and Enterprise Bill Presentment and Payment Portals.
3. Implementing a Point-to-Point Encryption (P2PE) certified solution in their Payment System Architecture to remove payment card data entry from employee workstations.

ABOUT THE AUTHORS

Richard McCammon is a foremost expert in electronic payment security and SAP integration. Working as an SAP consultant in the 1990s, Richard saw an opportunity to produce world class payment card integration software for merchants using SAP. Delego Software was founded to fill this need, and was certified by SAP in early 2000. Since then, Richard has been a driving force behind Delego Software and the creation of integrated payment solutions for the company’s global customer base.

Richard has presented to the American SAP User Group (ASUG), SAPPHIRE NOW & ASUG Annual Conference and SAPInsider Conferences. He was panelist at ACT Canada’s Cardware 2014 conference and is an ongoing guest on SAP Radio. Richard is a leading member of ACT Canada’s Strategic Leadership Team defining the future of Authentication and Tokenization.

Craig Lehtovaara is responsible for creating, implementing and evolving Delego’s technology roadmap. He has played an integral role in developing the Delego platform and modules, and has become an industry-recognized expert in software development in the payment card industry. He is well-versed in navigating the complex requirements for security certification, and is an expert in Payment Application Data Security Standards (PA-DSS) and PCI-DSS compliance.

Justin Diana – VP Operations, Corevist

Q: What trends do you see in PCI compliance for B2B?

More and more alternative payment methods are springing up. These methods are starting in the B2C world and moving over to B2B. With Millennials and the younger generation getting involved, people want to do B2B transactions with mobile devices. More and more companies are accepting things like Bitcoin, blockchain, even Apple Pay.

This makes it more difficult for B2B businesses, especially those who are newer to the online B2B e-commerce world. The technology and the requirements of payment processing are getting difficult to manage in-house. We’re seeing more and more B2B manufacturers outsourcing their payment processing. In that case, the payments processing vendor worries about PCI compliance, which takes the burden off the B2B manufacturer.  

This is a newer development. When everything was static, a B2B manufacturer could get away with doing it themselves. But now it’s changing so fast, they have to find a specialist. Everyone is going towards outsourcing—i.e., to the companies who also participated in this article. That’s a good thing for everyone. That’s why Corevist did what we did. We’re relying on specialists who can roll out new payment methods to our clients without affecting the PCI compliance of our e-commerce app.

To put it another way: the breadth of payment scope is increasing, in terms of payment providers and payment methods—but the number of B2B manufacturers who will actually be responsible for those PCI compliance needs will actually go way down, because of these specialist vendors.

B2B manufacturers should understand the disconnect between authorization and capture in the B2B payment process. That’s critical. In B2C, you put in your credit card, you get charged, and you pay right then. In B2B, you authorize the credit card as part of the transaction; but until the manufacturing process is complete, which could take several hours or several days, you don’t actually capture the funds from the bank account or credit card. You have a unique challenge where the authorization tokens need to be taken to SAP, and a separate process needs to transact that layer.

In other words, it’s not only the PCI requirements of your store, but now there’s an integration requirement from SAP. That’s why it’s critical to use a payments vendor. Essentially, the manufacturer has to be PCI compliant on SAP regardless of what they do on their storefront, or they have to find a partner that can handle both pieces. Even though a manufacturer can outsource their e-commerce storefront to Corevist, and Corevist can outsource PCI compliance to a payment vendor, that doesn’t necessarily absolve the manufacturer of PCI compliance requirements—because of the SAP piece. Now SAP is transacting 2 days later, and that has the same PCI requirements.

My biggest takeaway is—work with one of these vendors for your PCI compliance. It’ll save you a lot of headaches.

ABOUT THE AUTHOR

Justin Diana has over 15 years of experience in networking, technology, and software. As VP of Operations at Corevist, he oversees the entire technology stack for our e-commerce integrations to SAP. He ensures that our app is secure, meets our stringent SLAs, and lets our clients rest easy at night.

David Curl – Director, Enterprise Accounts, CardConnect

Q: What trends do you see in PCI compliance for B2B?

According to recent payment security reports, the number of organizations that are fully PCI DSS compliant from 2016 until today are on the rise. However, despite the trending improvement, reports have also shown that the control gap of companies failing their interim assessment have grown worse.

What makes the latter part of this trend alarming is that data breaches and compromised systems occur because controls are missing or are ineffective. So, what are the top three things B2B manufacturers should do to increase controls and protect their organization against cyberattacks?

1.Understand where your data resides

To mitigate the risk of exposing highly sensitive payment or personally identifiable data in clear text throughout your environment, it is important to take time and understand the overall data flow for sensitive information–i.e., how information enters the environment, what networks it traverses (data in transit), which applications or people handle the data and how data is being stored (data at rest). Once the information flow is understood end to end, a multi-level security strategy can be identified to protect it.

2. Implement a multilevel data security strategy

What is the best approach to multi-level security strategy for sensitive data? Most industry experts agree it is an approach using a combination of data tokenization, point-to-point encryption (P2PE), standard data encryption, proactive data flow analysis, continuous training for handling sensitive data and proactive vulnerability monitoring and patching. Using tokenization alone won’t keep a hacker from breaching a system, but drastically reduces a data breach impact. Tokenization replaces sensitive data, like credit card numbers, with a valueless token useless to a criminal seeking to steal credit card information. When combining data tokenization with P2PE, a solution that protects sensitive data with encryption from the moment it is captured and through its full lifecycle, businesses can ensure the safety of data in the event that an internal system or network is breached.

3. Monitor controls, adjustments and act

It is important to continually enhance data security, breach detection and response competency.  Often this can be achieved through a combination of automation, training and PCI-certified third party solution providers like CardConnect.

In summary, not only do companies have the critical responsibility of achieving compliance with the PCI DSS, but they also have a responsibility to maintain it.

ABOUT THE AUTHOR

David Curl is a Director of Enterprise Accounts at CardConnect with more than 15 years of experience assisting organizations with payment security and PCI compliance issues. To discuss any of the tips shared by David above, contact him at dcurl [at] cardconnect [dot] com.   

Moving forward: Case study

Curious about payment methods in B2B eCommerce and how they fit into the big picture? Download the case study below to learn how Drive Medical built an integrated solution that improved product availability and credit handling procedures—all while following an agile methodology and staying within budget.

Download the case study