How Payment Processors Help Meet Compliance

According to BillingTree’s 2016 Collection Agency Operations and Technology Survey, Compliance Policy/Procedure Implementation was the largest concern within the collections industry. This concern extends to every facet of their businesses as well as beyond because non-compliance of vendors hired by the agency can result in significant fines and penalties leveled against the agency that hired the vendor.

With that thought in mind, BillingTree would like to remind their users of some of the particular laws that define the compliance arena. Which laws and regulations to address depends on the type of client the agency works with, however, there are three important certifications that an agency must be aware of:

PCI-DSS 3.1:

PCI-DSS stands for Payment Card Industry Data Security Standard. It is a set of security standards designed to ensure that all companies that accept, process, store or transmit credit card information maintain a secure environment. What constitutes a payment? Anything from a Point of Sale system such as a card-swipe terminal in a restaurant to a website e-commerce shopping cart can be classified as a payment. Any piece of software that has been designed to touch credit card data is considered a payment application and therefore compliance is required.


HIPAA refers to the Health Insurance Portability and Accountability Act of 1996. Electronic Protected Health Information (ePHI) refers to any protected health information (PHI) that is covered under HIPAA security regulations and is produced, saved, transferred or received in an electronic form.

There are 18 specific types of electronic protected health information, including patient names, addresses, Social Security numbers, email addresses, fingerprints and photographic images, among others. In addition, any past medical records or payment information is subject to the same degree of privacy protection. ePHI regulates how that information is transmitted through electronic devices. Regardless of the type of electronic device that is used to access electronic protected health information, whether it is a personal computer (PC), tablet PC or smartphone, the financial institution they access must abide by HIPAA Security Rule guidelines when handling both information at rest and that which is being transferred electronically, via email or through file transfer.

SSAE 16:

This is the Statement on Standards for Attestation Engagements 16. It is a regulation created by the Auditing Standards Board (ASB) of the American Institute of Certified Public Accountants (AICPA) for redefining and updating how service companies report on compliance controls.

There is a very good reason to have current SSAE 16 certification: many companies will not even think about using your company to perform services for them without a clean Type II Report in place.

SSAE 16 demonstrates the ability to perform outsourcing services for public companies. If performing financially significant duties for a public company, SSAE 16 is the only way to give investors assurance over controls that are not performed by the company in question. Both public and private companies are more likely to trust your organization with their data when your company is SSAE 16 certified.

Recently BillingTree successfully completed 2016 audits for PCI-DSS 3.1, HIPAA/ePHI and SSAE 16. The certification of validation was issued June 26, 2016 by an authorized Third Party Assessor and a Qualified Security Company (QSC), certified by the PCI Security Standards Council. You can rest assured that all financial or personal data that is stored, processed, transferred or received is handled in complete compliance and that the reports you receive are at governmental standards of trustworthiness.