Alphabet Soup: Is Your Payment Solutions Partner Up to The Latest Standards?

You’ve probably heard of the “alphabet soup” of regulatory and security standards. But what do all of these terms really mean?

Although they may vary by business type, any company working with a payment solutions partner today must deal with this often-confusing jumble of acronyms. Yet, effectively navigating this sea of regulatory terminology requires that you understand each one that impacts your business, and that you have enlisted a payment solutions provider that is able to work with you to ensure your organization’s compliance.

To help familiarize you with the some of the most common standards, we’ve broken these terms into a list of more manageable, bite-size pieces:


Payment Card Industry (PCI) Data Security Standard (DSS) compliance applies primarily to the payment card industry. If your business stores, transmits or processes cardholder data, you are required to comply. Additionally, if you have a client that is required to comply with PCI DSS, they need to validate your compliance with the standard, as well.

So why is it important? If your customers’ credit card data is stolen or lost, your business can be subject to considerable fines. This is on top of the repayment of fraud and customer card reissuing costs.

By complying with PCI DSS, organizations can dramatically reduce their chance of loss and related fees that can result from a breach. Key security areas all companies should incorporate into their routine practices include:

  • Building and maintaining a secure network.
  • Implementing stronger access control measures.
  • Conducting regular monitoring/testing.
  • Developing a company-wide information security policy.


If you are working for a healthcare provider that services a healthcare provider, you will be asked for validation of your compliance with HIPAA laws. Any entity that handles Protected Health Information (PHI) is responsible for HIPAA compliance.

The federal government put HIPAA in place nearly 20 years ago to ensure we have rights over our own health information, no matter what form it is in – paper or electronic. HIPAA compliance involves an understanding of and compliance with more than 200 separate privacy, security and breach notification rules.

With more than 140 different requirements that fall under the HIPAA Security Rule umbrella, it’s critical to ensure that all systems are protected. Otherwise, businesses are placing themselves – and their patients – at serious risk.
Failure to perform a thorough risk analysis can have several, negative repercussions, such as increased chance of personal health information loss/theft; fines resulting from violations; potential for civil lawsuits; loss of patient trust and business; and, severe reputation damage.


A Type II SSAE 16 report is an independent report on the design and operating effectiveness of key controls at a service organization (SSAE 16s were formerly referred to as SAS 70s).

In a nutshell, SSAE 16 is an audit and report on internal controls (whether related to information security, financial, operational or compliance controls) at a service provider that are relevant to their customer’s data. For example, if you work with publicly traded companies, financial institutions or government agencies, you may be required to have an SSAE 16 audit performed.

Generally, clients that choose to obtain a SSAE 16 report are striving to provide their customers with confidence, as well as to differentiate them from the competition. In fact, many companies will not even think about using a company to perform services for them without a clean report in place.


The Consumer Financial Protection Bureau (CFPB) was launched with a goal of protecting consumers in financial transactions with banks and lending institutions. Its primary focus areas include lending institutions, banks, collection agencies, student loan servicers, mortgage providers and more.

The CFPB’s depth is much more broad than many people may realize.  As a result, not all businesses within its oversight are aware of the necessary requirements in order to comply. Unfortunately, non-compliance can cost businesses enormous penalties, fees and fines. It also can affect their overall brand reputation.

It’s critical for companies to be proactive when it comes to CFPB compliance. Experts suggest the following best practices:

  • Examining your company’s vendors and oversight practices.
  • Requiring proactive compliance (with internal auditing) for vendors.
  • Always putting consumers first.


If your business extends credit to its customers or allows the purchase of goods or services on account, you need to be aware of your customers' rights under the federal Fair Debt Collection Practices Act (FDCPA).

The FDCPA requires that debt collectors treat debtors fairly, and prohibits certain methods of debt collection. Typically, credit cards, phone and medical bills are covered. This can include money owed for a car purchase, for medical care or for even charge accounts.

The Act prohibits conduct that is either abusive or deceptive. At its core, the debt collector is supposed to treat the debtor fairly and honestly. Debt collectors who fail to comply with the terms may be liable in court for misconduct.

The best way to make regulatory and security practices routine is to work with a dedicated payment solutions provider. At BillingTree, our clients have access to fully trained experts who can help with questions and troubleshooting when it comes to the “alphabet soup” of regulatory standards.