Leveraging electronic payments to reduce costs while mitigating the associated risk

Scott,
Most if not all of these (add Bill Me Later) are all mainstreamed as to overall risk exposure, but you do need to understand them and the T's & C' of the contracts. Not sure where you are or what you are selling (e,g, B2B, B2C) but there are plenty of resources. I have worked with PSP firms (Payment Service Providers) who look to wrap up many of the options into one face to deal with.

I am interested to see what experience others bring forth...

Research & Downloads: Globalcollect.com (if International)and Cybersource.com

https://www.pcisecuritystandards.org/security_standards/pci_dss.shtml. The Payment Card Industry Data Security Standard (PCI DSS) is THE standard for securing payment information and transactions. It has both online and offline elements and these elements touch everything from your processor to your back office policies and procedures. That sounds scary, but it's really not.

Read the document! It's actually not very long and it's a pretty quick read. I was expecting a nightmare when I first read it (given a directive from my CEO while building out electronic payments for our company) but it was shorter than I expected and more straightforward. And like anything, once you ahve done that initial homework you can quickly understand what you need to do as a company and get people behind it.

I have had Accounting Managers and Corporate Controllers (at different companies) ride herd over this process. You do want someone with credibility in the organization who is methodical and detail-oriented because PCI crosses the organization and will require a lot of "box checking".

Finally, if you need outside help, I do know that there are a lot of consultants (and firms) that do this sort of thing for companies, although I have not used them so sorry I can't help with a reference here.

I agree with Jeff's comments above. On the payment outflow process if you really want greatest efficiencies (with control) then depending on which country you operate in, self-billing linked with your expenditure approval process is the most beneficial, linked then to secure electronic payment and confirmation back to the supplier that payment has been made. Self billing entitles you to raise incoming invoices on behalf of your suppliers, preferably to inked to a well-controlled and automated cost-approval process. So on top of the benefits from removing reliance on inefficient cheque payments, you also remove the need for very time-consuming supplier statement reconciliations etc.

Whether you can implement this total efficiency opportunity will depend on local fiscal legislation. In Europe and some countries in the APAC region it's possible.

Scott,
You may want to consider the material at
http://usa.visa.com/merchants/risk_management/cisp_merchants.html#anchor_2
and at
http://usa.visa.com/merchants/risk_management/cisp_service_providers.html
to determine if you are a merchant or a service provider and what compliance level is required for your situation. The minimum standards apply if the cardholder information for payments you receive, are accepted, processed and stored on third party platforms (e.g. web-based solutions, or web-hosting companies), using third party payment solutions (e.g. online payment gateways). If none of that data is collected by your systems, then you may find that your role is primarily to ensure that those vendors are PCI compliant and/or they meet SAS 70 standards, and completion of an annual self assessment. On the other hand, if cardholder information is collected or stored on any of your private networks, or is stored on servers you own or manage, you must meet the highest compliance requirements, and you will need assistance from a qualified security assessor. I recently completed the CISP compliance process with a consultant and I would be happy to share my experience if you call me privately.

Scott,

Here are industry best practices you can leverage to significantly minimize PCI risk and while reducing the cost of processing electronic payments. For instance, you can route all of your incoming payments (paypal, credit card, purchasing card, google checkout, etc.) through a single gateway. This significantly reduces the number of PCI compliance points you have to monitor and secure. Secondly, depending on how your payment infrastructure, you can use number of encryption and tokenization services that completely remove the communication and storage of credit card data from within your organization to an outside partner.

Feel free to call or e-mail me and I would be happy to provide additional information.

regards,
Anand Goel