Pay360 by Capita has been providing secure payment services for over 20 years. Trusted by brands big and small, it helps clients to offer seamless payment experiences across all payment channels.
With the pandemic forcing a considerable portion of the UK workforce to adapt to home-working, research shows that 26 per cent will continue to work remotely in some capacity. To adapt to this permanent shift successfully, organisations need to ensure long-term solutions to maintain their PCI compliance whilst also providing a safe environment for their employees.
With this in mind, Stephen Ferry, Managing Director at Pay360, shares his thoughts how payment organisations can maintain their PCI compliance with a hybrid workforce?
What has been the traditional Pay360 response to financial technology innovations? How has this changed over the past few years?
In recent years we have seen a huge number of acquisitions of fintech companies by well-established financial services companies, aiming to ensure that they remain at the forefront of the market.
Pay360 has taken a slightly different approach. We secured investment to develop an FCA regulated payment facilitator (PayFac) platform known as Evolve, which integrates into an independent software vendor’s own software, enabling faster customer onboarding, payments process automation and a speedier and more seamless customer experience. PayFacs sit between the online merchants and the rest of the payments infrastructure – acquiring banks, card schemes and issuing banks. They provide businesses with a means of rapidly accessing and delivering payments functionality while eliminating the time, cost and risk involved in setting up a payments platform of their own.
The PayFac model is actually quite straightforward and, in practical terms, it mirrors the software as a service (SaaS) model that so many software providers operate. Just as a SaaS provider ‘leases’ its platform – enabling its clients to leverage and benefit from years of investment and expertise in a specialised area – PayFacs enable users to access sophisticated technology, expertise in payments and established relationships with acquirers, card schemes and new acceptance channels.
For software providers, using the PayFac model delivers a number of advantages. The first is that they can get their own customers – the merchants – up and running and taking payments much faster. The second is that PayFacs businesses are payments specialists, steeped in the language, technology, processes of payments and take the regulatory requirements on behalf of a merchant. This means solutions such as Evolve from Pay360 are robust and secure by design: they are born out of decades of payments experience and expertise. PayFacs deliver reliability and security, removing a huge burden and providing peace of mind, both to the merchants and the software providers who want a technology-led payments solution.
Is there anything that has created a culture of change inside Pay360?
The overarching ethos of Pay360 is “how we can create better outcomes for our customers?”The introduction of a single CRM platform, Salesforce, has enabled Pay360 to have a singular image of the different solutions and services that we deliver to the customer. This has allowed us to understand further the expectations of our customers. In addition, Pay360 carried out extensive market research that was aimed at understanding the challenges facing customers, and specifically, what the company needed to do to adapt and deliver better technologies and services to all its customers. We then took time to listen carefully to each customer to ensure the solution we proposed could meet their current and future requirements, all backed up by a strong service model to ensure continual improvements can be made as and when required.
What fintech ideas have been implemented?
With the introduction of Pay360’s Evolve product, the company now has a software payment platform that will embed a payment platform into the architecture of Independent Software Vendors’ (ISV) proprietary offerings and enable us to help them scale their businesses dramatically over time and improve the end-customer journey. In addition to this, Pay360 has implemented several simple strategies through the introduction of new and innovative digital products to ensure we increase our value proposition in the market. We have identified technologies in the market that we know customers are familiar with and wish to access. We have then introduced those to our platform to help us create a fully functioning payment ecosystem for our customers. For example, an API-first onboarding journey with straightforward automation built-in (where required) – giving further options to both ISVs and customers in how they are onboarded.
Do you see any other industry challenges on the horizon?
Over the past two years, we have seen a huge shift to home working. For many organisations, the ability for their homeworkers to continue to accept card payments over the phone is essential. But without putting certain measures in place, organisations can find themselves in contravention of their PCI obligations, bringing their employee’s working environment into scope and opening themselves up to potential breaches. The increase in cyber-attacks only adds weight to the need for these measures.
Can these challenges be aided by fintech?
While security procedures such as company-provided hardware with up-to-date firewalls and dual authentication measures do go some way to protect sensitive data and adhere to their PCI responsibilities, the best way to ensure that their employees can’t be compromised is to remove the information cybercriminals are after from their environment – payment card data.
Among others, such as digital payment requests by card or open banking, one solution is DTMF suppressing or masking software. DTMF stands for ‘dual-tone multi-frequency’ and represents the signals or ‘beeps’ generated when a user presses individual buttons on their telephone keypad. Whilst these tones are dual-frequency (one high, one low), a measure put in place to try and prevent voice imitation, they can be decoded with the right hacking software.
With DTMF suppressing solutions, the applicability of PCI DSS to that environment can be reduced as the agent never sees or hears card data. Customers input their card information using their telephone keypad when prompted and the information is automatically transmitted to the Payment Service Provider (PSP) for authorisation. No cardholder data is exposed to the agent or enters the organisation’s environment, meaning the scope of PCI DSS is vastly reduced.
