Don’t Get Complacent About Compliance

Triple check your risk management strategies to avoid a breach

There’s no shortage of instances of security breaches where customer data is accessed or exposed. It seems like you can’t go one week without learning of a new breach somewhere across the country.

It’s no secret that a breach can be nothing short of catastrophic, costing a company time, money and eroding trust with customers who may leave for a competitor.

This is even more pronounced in the Accounts Receivable Management (ARM) industry because agencies work with multiple clients and they typically work with several payment processors, adding complexity to this issue.

In addition, collection agencies typically look at large Fortune 500 companies as very successful and lucrative clients. And while that is certainly the case, it opens up more risk of attacks due to the heightened visibility and number of access points of a larger company. For example, a hacker is much more likely to target a large healthcare company or nationwide retailer as opposed to a small dry cleaning company.

All is not lost though. Adhering to best practices around security and compliance offers an unprecedented level of protection from attacks and data breaches. But it doesn’t stop with an annual renewal, the best payment providers constantly reinforce and adhere to the various levels of compliance consistently over time. That’s what separates the best-in-class providers from the rest.

Simplifying Compliance

It may seem overwhelming to keep up on compliance in the ARM space. There are always new regulations, additional ways hackers can access systems and updated compliance rules to stay abreast of.

In the interest of simplifying this complex topic, here is a quick overview of the ‘Big 5’ compliance areas that every payment platform needs to have.

PCI-DSS: This is the most well-known compliance standard and it was created to enact controls around how companies handle cardholder data to decrease credit card fraud. Give some bonus points to your payment provider if they are Level 1 certified because that means they have successfully processed more than 6 million Mastercard or Visa transactions annually.

NACHA: Formerly the National Automated Clearing House Association, this organization has created rules and standards around ACH or eChecks, where a consumer uses a checking account to remit payments either online, via IVR or through a phone-assisted process with a live agent.

SSAE 18: Sometimes called the Statement on Standards for Attestation Engagements (SSAE) 18, SOC 1 compliance focuses on an organization’s controls around financial statements and encompasses an audit related to these financials. SOC 2 covers a company’s controls related to operations and compliance, and more specifically its security, availability, processing integrity, confidentiality and privacy. This is the most up-to-date and comprehensive version of this compliance area.

HIPAA: If you operate in the healthcare industry, HIPAA is not optional, it’s a requirement. Simply put, HIPAA handles the privacy and portability of consumers’ personal healthcare information and ensures security for personally identifiable information, including payment information. There have been recent breaches in the medical industry so compliance is critical.

Now that you know the different areas of compliance for payment processors, here are a few tips to ensure your payment provider is fully compliant with each of the ‘Big 5’ areas.

  1. Show me the AOC: Ask for your payment processors’ AOC (Attestation of Compliance) for PCI. If their name is NOT on it, alarm bells should be ringing. If there’s a breach and your client is insisting on seeing your payment processor’s AOC, it likely won’t sit well that they’re not the entity that’s compliant. And how are you expected to hold your payment processor accountable if they aren’t the one who’s directly compliant?
  2. Another NACHA in your belt: ACH is a great payment channel for collection agencies. Being compliant with NACHA makes sure your business is operating in full compliance with all security and risk avoidance practices for ACH/eChecks.
  3. SOC it to me: SSAE 18 compliance is important because it’s a big confidence booster for your clients. If your payment processor is SOC 1 and SOC 2 compliant it presents controls around finances as well as privacy and security in a very transparent way, which can assist tremendously in the case of an audit.
  4. Stay hungry hungry HIPAA: Compliance with HIPAA is not to be understated. A typical fine for non-compliance could range between $50,000 per violation up to $1.5 million per year. Making sure your payment provider is HIPAA compliant is absolutely essential.

Now you know the basics of areas you must master to minimize the chances of a breach. The great news is that BillingTree is not only compliant with the ‘Big 5’ areas of compliance, but we have an entire compliance department to help you minimize your risk and lower your chances of a breach. In addition, at BillingTree there are several Accredited ACH Professionals (AAPs) on staff, for an extra level of confidence and trust.

The one thing you will find working with BillingTree is we anticipate your needs and can help you when pitching to the Fortune 500. We exist to grow your business and we can do that by documenting our comprehensive compliance efforts and demonstrate our security controls.

We recommend you take the next step by requesting a processing compliance review. We’ll provide a complimentary evaluation of your current environment and uncover some opportunities to fill any gaps in your payment acceptance process.