1. What compliance-related security services could/should VARs be offering their customers to add value and create a revenue source?
There are many security services VARs should consider offering related to security and compliance. A few that should be offered include EMV, PCI Compliance solutions, tokenization/encryption and Breach Protection.
With the liability shift now in the past, VARs are realizing the imperativeness of becoming EMV compliant. EMV is here to stay and delaying implementation could cause serious harm to both VARs and their customers. VARs need to communicate with their customers the importance of adopting EMV capable solutions and educate them on how upgrading their products to EMV compliant solutions will protect their business from possible fraudulent instances.
It’s also imperative for the customers of VARs to become PCI Compliant. Any merchant who accepts credit card payments must operate their business within the security guidelines of PCI-DSS, making it necessary to comply for security prevention. VARs can work with a trusted payments partner to ensure their customers’ are PCI Compliant, taking the burden off of VARs to protect their customers alone.
Tokenization and Encryption provide added security with each transaction, allowing the merchant and cardholder to rest easy knowing that the cardholder data is safe. Both of these allow a VAR to offer an all-encompassing security solution when it comes to payment transactions.
In addition, VARs should also offer Breach Protection insurance for their customers, which is a critical component of the total security package. With the heightened threat of cyber attacks occurring, breach protection is a good option to help prevent fraud and defend against hackers and add an extra source of revenue.
2. What is involved from a time and investment standpoint to offer these services?
Deploying a variety of payment security solutions will take an upfront investment in resources to evaluate what solutions make the most sense for the VARS customers. Each solution will vary in terms of timing and cost to deploy.
For example, a typical EMV certification from start to finish can take several months to complete, in addition to being costly. For VARs and customers looking to expedite this process, a semi-integrated solution is best. These products only take a few weeks to integrate within POS software and are less expensive than a full integration. Not only will a semi-integrated solution take less time to complete, but can also reduce EMV certification costs.
VARs can work with a payments partner who can advise them the best way to remain PCI Compliant. A part of the PCI compliance analysis includes evaluating the overall software and hardware delivery for payment acceptance. This evaluation needs to be done by the VAR and their customer to ensure there is no security risks, and typically doesn’t take much preparation time. Working with a partner helps speed this process and ensure it’s done appropriately.
Likewise, deploying tokenization and integrating P2PE and breach protection wouldn’t take a significant amount of time. The key is working with a partner that already has these capabilities so they can be easily deployed.
3. Does offering these services increase the liability of a VAR should a breach occur?
In many cases, it won’t increase the liability of the VAR. In fact, offering these solutions should provide stronger security to protect the VARs customers and minimize any payment security issues.
Regarding PCI, any customer who does not become PCI Compliant will be held liable for not complying with the safety standards set in place within the payments industry. VARs that choose to not implement products featuring tokenization or P2PE nor offer breach protection insurance could be placing their customers at higher risk for fraud and, in some instances, might have to pay fines related to the fraud due to lack of additional security solutions.
However, for a VAR to add valuable solutions and serve their market effectively, they must ensure they have implemented and offered a full security suite to protect against breaches and fraud. This in turn will keep their customers loyal to them and strengthen the trust they have with these customers.
4. How can any liability be reduced?
VARs wanting to reduce liability for their customers need to partner with a payments expert who can help analyze the current payments offering and determine if there are areas of concern. If needed, the partner can then seamlessly integrate security solutions on behalf of a VAR and can provide the guidance, support, and product solutions to combat fraud and breaches.
5. What common mistakes do VARs make concerning payment security?
Many VARs aren’t aware of the right solutions they can implement to lessen the probability of fraud or a breach from happening. In some cases, they don’t do anything proactively to manage their security risk. Even though the liability shift has passed, there are still VARs who are not familiar with EMV technology as a whole, nor are aware of the appropriate steps needed to integrate EMV within their products.
Other VARs may not utilize tokenization and encryption to secure the processing, transferring and storing of payment card data that their customers receive. As mobile technology continues to gain momentum, tokenization will become a great asset to prevent fraud from happening, as it prevents cyber criminals from obtaining credit card data who will in return use it for fraudulent purposes. P2PE can equally provide risk reduction and improved security for VARs by transfiguring confidential credit card data into an obscure code.
6. How can these mistakes be avoided?
VARs can avoid staying unfamiliar of the latest payment security solutions by partnering with a payments expert who is skilled in providing solutions specifically tailored to VARs. They need a partner they can rely on who has already done the work for them on the security front. This partner should be able to guide and educate them on the right steps and solutions needed to protect their customers. Not only can a payment expert offer a semi-integrated solution for a VAR, but can also work with integrating P2PE and tokenization within their customers’ POS terminals and/or POS systems on behalf of the VAR.