Choosing a Payment Vendor and Service Provider: A Guide for Small Merchants

If you’re not getting paid, you don’t have a business. But in today’s business landscape, categorised by a multitude of payment service providers and heightened cyber security risk, how you get paid is just as important.

The Payment Card Industry Security Standards Council (PCI SSC) mandates that all entities involved in payment processing must comply with the PCI Data Security Standards (PCI DSS), regardless of their size or transaction volume.

In this article, we’ll help you understand the security considerations associated with each type of payment vendor and service provider, so you can understand which payment security requirements apply to your business.

Types of Payment Vendors and Service Providers 

Here are the different types of payment services available to organisations that accept payments through card transactions. 

If your organisation outsources payments, it’s still crucial that you understand how your payment service provider complies with the following requirements. 

Payment Processing Platforms 

Payment processing platforms handle card transactions. These types of service providers are responsible for secure payment routing, meaning that a customer’s card details should remain secure from the moment they enter their card details until the transaction is confirmed. Payment Processing Platforms are responsible for end-to-end encryption of the data, meaning that even if a cyber criminal manages to intercept payment data during the transaction, what they find will be useless. 

E-Commerce Payment Systems 

E-commerce payment systems encompass the entire process, from product selection to payment acceptance. 

Point-of-Sale (POS) Providers 

POS Providers manage the software and hardware that in-person transaction hardware and software. A secure POS system is critical for ensuring the safety of physical card transactions. Much like e-commerce payment solutions, POS systems must provide encrypted payment terminal and secure routing. Should offer encrypted payment terminals. 

Payment Gateway Providers 

Payment gateway providers are the Bridge between merchant websites and financial networks. Responsible for securely transmitting transaction data, payment gateway providers must comply with PCI DSS standards.

Payment Security: The Critical Questions to Ask Your Vendors 

Based on guidance from the PCI Security Standards Council, you should ask the following questions of your current and prospective payment service providers: 

Security Protocols

  • What level of PCI compliance do you maintain? 
  • How do you secure and encrypt payment data? 
  • Do you use secure versions of Transport Layer Security? 
  • What are your data protection mechanisms? 
  • Compliance and Authentication 
  • Are your vendors SOC 2 compliant?
    (SOC 2 is a US CPA standard and Australian equivalent standard is ASAE 3402)
  • How do you authenticate transaction data? 
  • What mechanisms prevent unauthorised access? 

Technical Infrastructure 

  • How frequently do you update security systems? 
  • What is your incident response protocol? 
  • Do you offer and require the use of Multi-Factor Authentication (MFA)?
  • Vendor Risk Management

PCI Compliance levels: Which level is your business? 

The PCI Council mandates a different level of compliance based on annual transaction volumes by card type, e.g., for each of Visa, MasterCard, and others. Each level has different requirements, based on the notion that the higher the transaction volume, the greater the risk of unauthorised access. 

The levels are:

Level 4: Less than 20,000 transactions per year 

Level 3: 20,000 to 1 million transactions 

Level 2: 1-6 million transactions 

Level 1: Over 6 million transactions 

 

Self-Assessment Questionnaire:

Every merchant must complete a Self-Assessment Questionnaire (SAQ) that is appropriate to their business model. The Self-Assessment Questionnaire your business will need to use and complete to ensure PCI compliance will depend on your payment environment and business model. 

To see what Self-Assessment Questionnaire applies to your payments environment, read our guide to SAQs.

Red Flags to Watch For When Evaluating Payment Vendors 

When evaluating payment vendors, be cautious of providers who: 

  • Cannot clearly explain their security measures 
  • Lack of PCI DSS certification evidence
    (Ask for and expect to be provided with their most recent Attestation of Compliance (AOC) countersigned by a QSA in the last year.)
  • Refuse to provide detailed compliance documentation 
  • Have a history of data breaches

Recommended Action Steps 

To assure the security of your business, you must:

Document all vendor relationships: Including the services they provide and what data they may have access to as part of their service. 

Conduct thorough security assessments: This will ensure your organisation continues to maintain best practice security standards as the threat environment evolves. 

Regularly review vendor compliance status and maintain open communication about security expectations: Your vendors should update you on their security posture, including any steps they have taken to safeguard their solution against emerging threats. If they don’t, be proactive in asking for these updates.

Be prepared to change providers if your current provider doesn’t meet security standards: If a vendor is unable, or unwilling, to meet your security expectations, the security risk they pose may create an existential threat to your business. So regardless of how good and long standing your relationship may be, or how competitive their pricing is, staying with an insecure vendor is too great a risk. 

 

Business vendors may have access to sensitive information about your organisation. Small merchants must ensure their vendors are securing their own systems and networks. 

By understanding vendor types, asking the right questions, and maintaining vigilant  security practices, small merchants can significantly reduce their risk of data breaches  and protect their customers’ sensitive payment information. 

Maintaining the security of your business is an ongoing activity, it is never complete. And navigating the myriad security requirements of an increasingly complex cyber threat landscape can be a resource-heavy, time-consuming exercise for a small business, especially if you don’t have the expertise in-house. 

Stratica partners with small merchants to provide a tailored, comprehensive cyber security solution that ensures your entire environment, including your third-party providers, meet current best practices. 

Our process involves: 

  • Identifying potential vendor risks 
  • Identifying and providing advice on mitigating security vulnerabilities 
  • Continuously monitoring vendor security practices 

To better understand your security requirements, we offer complimentary security reviews. In our reviews, we will take the time to understand your business’s unique requirements and how to implement security best practices in the most efficient manner. To book your review, get in contact with our team.

Book a Security Review