ERP and Payments: PCI Compliance Nightmare

A PCI Compliant ERP solution doesn’t make a merchant PCI Compliant. The features of the payment integration drive customer decisions to use or not use the an ERP payment module. When payment vendor choices are restricted artificially by using technology to control merchant services options, merchants often enter ERP relationships with a level of dissatisfaction right from the start.

Severely restricted payment gateway options, especially for business to business, results in either the merchant using an alternative non-integrated payment solution, thus sacrificing efficiency, or using the integrated solution, and failing to meet PCI 3.0 requirements or other payment needs. How can I make this statement? B2B companies that accept credit cards  typically have a portion of their sales via the telephone. To mitigate risk of fraud, they use paper credit card authorization forms. However, the forms are inherently risky in many ways.

  • Sensitive authentication data, which includes the security code (CVV/CID), can never be stored.
  • Forms offer option to send via email. Unprotected data cannot be sent via messaging technologies such as e-mail, instant messaging, chat, etc. (PCI section 4.2). Even if the form doesn’t offer it, customers sometimes ignore instructions and send via email.

In the absence of a best practice, employees will revert to whatever is necessary to get their job done and reduce the risk of looking bad (fraud losses). If the ERP payment module doesn’t help merchants eliminate credit card authorization forms, the entire operation may be at risk of a potential data breach.

For retail, data breaches have become commonplace. Few ERP Point of Sale (POS) solutions are using Point to Point (P2P) encryption and other best practices to reduce data breach risk. They raced to bring mobile to market, and many now have neither EMV chip terminals nor P2P, both increasing financial risk to merchants.

Why does an ERP restrict options for merchant services? Because it’s part of their revenue stream. When competition is eliminated, there’s almost no chance of having the best solution in the marketplace. The proof is a long string of failures to meet business needs. Failure to offer electronic bill presentment and payment, which would increase cash flow and efficiency. Failure to offer US EMV chip card acceptance solution prior to liability shift. Failure to offer level 3 processing for all sales channels. Failures reduce cash flow, profits, and security as companies attempt to work with the ERP limitations, or find ways to work around them.

The argument that it’s to protect merchants from data breaches is only partially true. For any modern payment gateway integration, the payment activity is usually outside the ERP to reduce PCI scope. That won’t change from one gateway to another, so the risk doesn’t change, provided the third party gateway is level 1 PCI Compliant.

Examples of ERP’s that restrict payment gateway and merchant services choices are Netsuite and Sage. Additionally, consultants are often compensated for payment gateway recommendations. Consulting with an independent payment specialist,¬†like blog author Christine Speedy, can expose pros and cons of different options.

ERP’s holding onto merchant services and gateway revenue streams are short sighted, as these business practices that anger customers. Can you imagine if an ERP wouldn’t communicate with any other software, for example, Magento? ERP’s focused on delivering the best business software for all facets of a business, and enabling the merchant to follow best practices for PCI Compliance must give users the flexibility needed to run their business with their own financial partners.

If an ERP relies so much on their revenue stream from merchant services revenue share that they won’t let you choose your own financial partners, I’d think seriously about whether it’s the best ERP for your business.

ERP Alert: 3 Reasons Merchants Fail PCI Compliance

pci compliance fail

I’ve identified a significant reason why business to business merchants using ERP’s will fail a PCI Compliance stress test. Whether you’re a consultant engaged to implement or extend an ERP, or you’re responsible for your company’s PCI Compliance, chances are even a non-hacker like me can find vulnerabilities in your security. Why? The PCI Payment Card Industry (PCI) Data Security Standards are the foundation of any security plan, but ‘real world’ and ‘written policies’ are not always aligned, leaving businesses wide open to a potential data breach.

Regardless of security efforts, it’s impossible to overcome product limitations or inefficiencies that result in employees using alternative ‘non-pci compliant’ procedures for accounts receivable. Ah, but you say someone should have known and planned better. That may be true, but there is also sometimes a disconnect between internal policies, software selection, and perceived practical necessities to conduct business efficiently. Case in point, I’ve called on many companies that forbid storing card data anywhere (per CTO and or CFO policy), however, departments have a number of practical processes that violate the policy, ‘in order to comply with other departmental requirements’. If all parties fully understood the requirements for security and business needs, there’s always a PCI Compliant solution.

What are 3 top ERP related PCI failures?

  1. Need for written approval to store card data and use for variable recurring billing. This is frequently on a credit card authorization form the merchant desires to keep on file.
  2. Business does not use the merchant services portion of the accounts receivable module due to ERP specific processor partner requirement (price, banking relationship interference or other reason given not to implement)
  3. Personnel collecting credit cards do not have access to the system to store credit card data (problem with user access, financial control, or personnel restriction limitations; inefficient to use in sales process)

Surprised? It’s not the ERP specifically that is cited as cause for failure, it’s procedures and flexibilities not being met that cause employees to bypass established security procedures.

How can merchants prevent employees from violating PCI Compliance guidelines?

  • Follow the money. Identify all personnel involved in the sales, billing and collections process. Interview staff starting with salesmen and through to how payment data is collected, invoicing, payment processing, and collections for delinquent accounts. Always ask questions about processes that you know are not allowed or that need to be fixed.
  • Implement appropriate agnostic cloud payment technology for all facets of billing and collections.

How long do you think it will take for an outsider like me to prove your business is NOT PCI compliant?

  • 5 minutes
  • 4 hours
  • 1 week

Take the FREE test and call 954-942-0483.