Dollars & Cents
The Intersection of PCI Compliance and Membership
Dollars & Cents
By: Katie Rogers
|Summary: Payment card industry compliance is a confusing topic, and it can be further complicated by your association's needs in processing membership dues. Find out what level of standards applies to your organization and what those standards mean for your options in managing member payments.|
I was recently asked a question on a professional forum from an organization that was looking to offer a trial membership that was "Free for the first 30 days," as well as one that it could auto renew after the expired term. The organization was cautious to begin doing so because it was hesitant to begin holding credit card data for the period of the trial or membership, at which point the card would be charged. Enter the old PCI Compliance Boogie Man.
It seems everywhere we look, we see SAS, PED, WIPS, PA*, Red Flag, and the mother of them all, PCI (Payment Card Industry) compliance. While many of these have been around for the better part of the 21st Century, they have only begun to trickle down to smaller organizations, Level 3 and Level 4 merchants. Don't know which level you are? Here is where it begins to get tricky. While the PCI Security Standards Council (PCI SSC) states that all merchants must be PCI compliant, each payment card vendor (such as Visa, MasterCard, and American Express) mandates the compliance and determines its individual merchant levels (albeit they are similar.) The standard most go by is Visa, which calls Level 4 merchants those that process less than 20,000 e-commerce Visa transactions and less than one million other Visa transactions per year. (Level 4, by the way, makes up 80 percent of the processing universe.) Most associations fall well within Level 4. However, to find which level you are, I would recommend visiting this guide to PCI Compliance Levels, which gives a good summary of the different levels.
Compliance is confusing; there is no doubt about that. So much so that even the head of Michaels Stores recently pleaded to Congress that the more than 250 compliance points were confusing for even them to meet and also quite costly. So, where does this leave associations?
As a third-party processor (i.e., we store and charge cards for our association clients for membership, subscriptions, and products), my firm, through our audits, research, and implementation of systems, has come up with a short, sweet, and "real speak blurb" regarding PCI Compliance as it relates to the storage of payment information:
"Can one (unsavory or savory character) link an individual's payment information (we don't just think of credit cards; electronic funds transfers and check information count, too) to that same individual's personal information either via physical or electronic storage?"
If the answer is yes, then you have a problem. And solving that problem can be as easy as blacking out all credit card information on responses after entering (we have a client that does this simple task for its in-house documents) or as complex as post-processing, separating the credit card information, and storing it in a separate database, highly encrypted with a unique encrypted identifier should you need to recharge a member's card (e.g., for auto renewals or delayed charges). The latter, also called end-to-end encryption, can be costly but is a necessary evil our database must do in order to sufficiently protect our firm and our clients' merchant accounts from fraud and subsequent legal action.
In helping merchants of all sizes, the PCI SSC has created Self-Assessment Questionnaire, which is a handy tool to see if you are in compliance for your level and what you need to do if not. And of course, there are different questionnaires for different validation categories (different than merchant levels; see how easy they make this?). I recommend everyone take this evaluation; it's free, so why not?
However, for those interested in the original question posed regarding the trial and auto renewal membership, I would be happy to relay my answer on the options I saw for this organization (who was not doing this through an outside PCI-compliant service firm but instead trying to do in house).
Option 1. You can store the card and bill the potential member after the trial period is complete as long as the following parameter is met within your membership management database/system:
The card number cannot be linked to the cardholder's name and address in any way. For example, for auto-renewals or trial offers, our firm's PCI-compliant database will encrypt the card and store in a secondary, unlinked database with a unique, encrypted identifier that will only pull the cardholder and the card when required to charge, also known as end-to-end encryption.
The benefits of this system are the obvious automatic collection of funds, but words of advice: ensure that the terms of when customers will be charged are made clear up front and subsequently enforced (e.g. "We hope you are enjoying your free trial. In XX days, your membership will be paid in full.") Not doing so could cause some stewardship issues down the line and resentment from the member.
Option 2. Send along an invoice with a trial membership card or packet touting the benefits of a paid membership (either email or print, whichever way best suits your organization or member) that is net due when or near the trial period is expected to end. The member can either pay the invoice or notify you that he or she does not wish to sign up.
Benefits of this system are that the member feels more in control as to the decision to sign up or not and can pay with multiple forms of payment (not just automatic payment). However, the downside to this is that managing the process is subject to a system within your database that can track accounts receivable, and the ability of you and your membership team to continually follow up and suspend members when they do not convert to a paid membership. For example, we provide our clients custom solutions for each member type and create a custom delivery of either option above.
With either option, you have the opportunity to reach out to the member and determine why they decided not to sign up, should this be the case. Most likely, the option you go with would be dependent on your ability to comply with PCI regulations regarding the storage of the payment information as well as the management of the system.
No sugar-coating here: PCI Compliance can be confusing, costly, and ever changing, sometimes making you feel as though you can never get ahead of it.
In fact, the new Restore Online Shoppers' Confidence Act, for instance, was just signed into law on Dec 29, 2010. It contains language that may result in changes to business rules regarding recurring credit card or EFT charges and a member's consent to do so. The text of the new law can be found here [PDF].
There are many more resources online, often free, that can help you navigate your way through compliance. Many qualified firms can handle the management of this as well, giving you the freedom to spend time on more strategic aspects of your association.
Katie Rogers is vice president of DirectAnswer, Inc., in Oxon Hill, Maryland. Email: firstname.lastname@example.org
*Wondering about that acronym soup? Four other standards we finance pros have to learn:
- SAS: Statement on Auditing Standards
- PED: PIN Entry Device (PED) Security Requirements
- WIPS: Wireless Intrusion Prevention System
- PA: Payment Application Data Security Standard