Understanding the Payments Ecossystem: Building a PayFac and Ensuring PCI DSS Compliance

In today’s digital world, mastering payment technology is crucial for businesses to stay competitive. Payment Facilitators (PayFacs) simplify how merchants process payments, offering enhanced customer experiences and operational efficiency.

However, becoming a PayFac involves navigating complex regulatory requirements like PCI DSS certification and integrating advanced fraud prevention, KYC, AML, and risk management practices. Building strong partnerships with payment processors, issuers, acquirers, and card networks is crucial for smooth merchant onboarding, chargeback management, and overall payment flow.

This post will guide you through becoming a PayFac and ensuring compliance with PCI DSS standards, covering essential steps and benefits along the way.

What is a Payment Facilitator (PayFac)

A Payment Facilitator (PayFac) allows merchants to accept electronic payments without needing their own merchant account. Payment facilitators aggregate multiple merchants under a single merchant account, allowing them to offer payment processing services to these merchants. They take on the responsibility of underwriting, onboarding, and managing the merchant relationships, as well as handling the settlement of funds. This model allows smaller merchants to accept credit and debit card payments without the overhead and complexity of setting up their own merchant account.

Historical Context

The payment facilitator model emerged in the early 2000s to provide payment processing services to smaller merchants who couldn't qualify for their own merchant accounts. Traditional payfac solutions were popular because they helped small- and medium-sized businesses accept online payments more easily. The payfac model reduces the complexity of getting started with online payments and allows companies to focus on their core competencies. The payfac sets up and manages multiple relationships and systems on behalf of the merchant.

Modern PayFac Solutions

Modern payment facilitator solutions often incorporate advanced features and capabilities, such as:

Reduced barriers to entry: PayFacs make it easier for smaller merchants to accept electronic payments by handling the complexities of setting up a merchant account.

Streamlined operations: PayFacs take on the administrative tasks of managing merchant relationships, settlement, and compliance, allowing merchants to focus on their core business activities.

Scalability and flexibility: As merchants grow, PayFacs can easily scale their payment processing capabilities to meet the increasing demand.

Access to advanced features: PayFacs often provide access to a range of value-added services and features that may not be readily available to merchants with their own merchant accounts.

Payment facilitators are essentially mini payment processors that provide services allowing merchants to accept card-not-present (CNP) and card-present (CP) payments. The first payment facilitators didn't arrive on the payments scene until the late 2000s, but they have since become essential to how the industry works and are an important part of the payments layer cake. With traditional merchant accounts, businesses are required to apply for a merchant account and purchase or build the software and hardware needed to accept card payments. With modern PayFacs, businesses are onboarded to the PayFac's platform, which acts as the go-between by hooking into a payment processor directly.

Setting Up Your PayFac: Step-by-Step Guide

The Role of Acquirers and Gateways

Every payment facilitator (PayFac) must register with a sponsoring acquirer, which is a bank that offers merchant accounts. The acquirer conducts an underwriting process to verify the legality of the business and analyze its financial situation. Once the requirements are met, the sponsoring acquirer registers the business as a payment facilitator and provides a unique PayFac identifier and a Master ID (MID) account. Written confirmation of registration is required before operating as a PayFac.

PayFacs utilize their acquirer's processor to handle payments processed through their platform. If they have contracts with multiple acquirers, they will use the respective processors for different sub-merchants.

Choosing a Sponsoring Acquirer

When looking for a sponsor bank, it's crucial to check their ratings, ask how many PayFacs they've worked with, and find out how long they've been a registered sponsor. Banks with experience and a tried-and-true system in place are more likely to have fine-tuned their approach.

It's paramount that PayFacs work with a sponsor bank that has a strong compliance department and makes it easy for FinTechs to report suspicious activity. The sponsor bank should provide cloud-based transaction monitoring services as part of their AML services to prevent financial crimes.

Infrastructure Build-Out

Setting up a Payment Facilitation platform requires robust technology and infrastructure to ensure smooth, reliable, and secure payment processing. Key features include advanced fraud detection and prevention tools, customizable risk settings, and a robust reporting and analytics dashboard.

Onboarding merchants onto the PayFac platform is critical, requiring streamlined processes for collecting and verifying merchant information, setting up merchant accounts, and managing payment processing. Customizable onboarding workflows, automated underwriting processes, and support for target payment methods and MCC codes are essential.

Acquiring Necessary Licenses

As a payment facilitator, you will need to obtain various licenses and registrations to operate legally and compliantly. The specific requirements may vary depending on your location and the jurisdictions in which you plan to operate, but here are some common licenses and registrations that you may need:

US Money Transmitter License
In the US, most states require payment facilitators to obtain a money transmitter license, which allows you to transfer funds on behalf of merchants. The application process can be lengthy and involves background checks, financial audits, and bonding requirements.

US Federal and State Registrations
Depending on your business structure and location, you may need to register with federal agencies like the Financial Crimes Enforcement Network (FinCEN) and obtain an Employer Identification Number (EIN) from the Internal Revenue Service (IRS). Additionally, you'll need to register your business with the appropriate state agencies and obtain any necessary permits or licenses.

Payment Institution and Electronic Money Institution licenses
In Europe, payment facilitators may be required to obtain PI (Payment Institution) or EMI (Electronic Money Institution) licenses in order to offer merchant services and handle and initiate payments. The specific requirements for these licenses can vary by country, so it's important to research the regulations in each European market you plan to operate in.

Licenses in Other Jurisdictions
Beyond the US and Europe, payment facilitators may need to obtain additional licenses and registrations depending on the countries they serve. For example, in some Asian countries, payment facilitators may need to register as a Payment Service Provider (PSP) or obtain a Payment Intermediary License. In Latin American countries, there may be requirements for a Payment Institution or Electronic Money Issuer license. Thoroughly research the licensing landscape in each target market to ensure full compliance.

Payment Facilitator Registration
Major card networks, such as Visa and Mastercard, require payment facilitators to register with them and comply with their rules and regulations. This registration process involves submitting detailed information about your business, management team, and payment processing operations.

Compliance with Regulations
Payment facilitators must comply with various regulations, including anti-money laundering (AML) and know-your-customer (KYC) laws, data privacy and security regulations (such as GDPR and PCI DSS), and consumer protection laws. Failure to comply with these regulations can result in significant fines and legal consequences.

It is important to conduct thorough research and gain a comprehensive understanding of the licensing and registration requirements in the jurisdictions where you intend to operate. Seeking guidance from legal professionals and compliance experts can assist you in successfully navigating this process and avoiding any potential pitfalls.

For instance, in Europe, PayFacs may be required to obtain PI (Payment Institution) or EMI (Electronic Money Institution) licenses in order to offer merchant services and handle and initiate payments.

Establishing Connectivity

Connecting to the acquirer’s systems is crucial for seamless integration and testing processes. This involves implementing merchant management systems that allow for efficient interaction with merchants. These systems typically include features such as dashboards, payout mechanisms, and tools for managing disputes related to chargebacks.

The role of a PayFac requires a bidirectional flow of information with the acquirer. On one hand, the PayFac is responsible for sending transaction data to the acquirer. On the other hand, the acquirer must have access to the PayFac's system to monitor performance and ensure compliance with relevant regulations and standards.

Managing and Operating as a PayFac

Readiness and Financial Assessment

Managing and operating as a PayFac involves several key responsibilities. Conducting thorough due diligence on potential sub-merchants is crucial to assess their risk profiles and weed out any bad actors. This involves evaluating factors such as the volume of transactions, industry or sector, countries of operations, and channels in use. Assigning appropriate risk levels to sub-merchants based on this assessment is essential for effective risk management.

Managing Sub-Merchant Onboarding

Onboarding sub-merchants requires a comprehensive Know Your Customer (KYC) process to verify the legitimacy of the business and ensure their money comes from legitimate sources. This includes collecting and verifying information such as the company name, registered address, tax identification number, sales turnover, ownership, and bank details. Automation can streamline the onboarding process by validating data, minimizing errors, and boosting conversions. PayFacs must also screen sub-merchants against crime suspicion, economic sanctions, and the US Treasury's Office of Foreign Asset Control's (OFAC's) or the Financial Action Task Force's (FATF's) sanctions lists. Additionally, checking the Member Alert to Control High Risk Merchants (MATCH) report is required to ensure that sub-merchants have not been terminated by other payment entities.

Risk and Compliance Monitoring

Risk management should not end at merchant onboarding; it must be a continuous process that actively monitors sudden or unexpected changes in sub-merchant business patterns, such as changes in the fundamental nature of business, transaction volumes, or cross-border operations. Spikes in business activity, product changes, or the introduction of new channels or segments should also trigger a reassessment of risk scores. Maintaining PCI compliance is essential for PayFacs to ensure the safety and security of sensitive cardholder and authentication data. Compliance with PCI-DSS protects sub-merchants and their customers by minimizing the possibility of data breaches, identity theft, fraud, and attacks.

Fraud and Chargeback Management

Ensuring robust fraud and chargeback management practices is crucial. While becoming a PayFac can create new revenue streams, it also carries the risk of losses from chargebacks. PayFacs are responsible for managing the chargeback process along with the acquirer, responding to documentation requests, and bearing the transaction amount if unable to recover funds from the sub-merchant. Implementing risk and fraud mitigation practices, such as initially low processing limits or robust transaction monitoring, is crucial to guard against losses from chargebacks. Effective chargeback management involves promptly addressing disputes, providing necessary documentation, and working closely with sub-merchants to resolve issues.

Payouts and Reporting

Managing payouts and reporting is another important aspect of operating as a PayFac. PayFacs must manage the payment of funds out to their sub-merchants, ensuring timely payouts. Additionally, they must be prepared to report sub-merchant activity to their sponsoring acquirer on a quarterly basis or whenever requested. Accurate and timely reporting helps maintain transparency and accountability.

Global Expansion

As PayFacs expand globally, they may need to adapt to different AML regulations and legislative landscapes across various countries. Obtaining necessary licenses, such as Payment Institution (PI) or Electronic Money Institution (EMI) licenses, especially in Europe, may be required to provide merchant services and handle payments.

Key Components of PCI DSS Compliance

The PCI Data Security Standard (PCI DSS) defines security requirements to protect environments where payment account data is stored, processed, or transmitted. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data. To put it simply, the PCI DSS standards are there to protect cardholder data. Developed and maintained by the PCI DSS council (founded by five of the largest card brands: American Express, Discover, JCB, Mastercard, and Visa), the PCI standards are a collaborative effort within the payments industry to uphold and protect the integrity of the payments system to ensure security for cardholders.

PCI DSS Overview

Achieving PCI DSS compliance is crucial for safeguarding payment data. The PCI Data Security Standard (PCI DSS) defines security requirements to protect environments where payment account data is stored, processed, or transmitted. PCI DSS provides a baseline of technical and operational requirements designed to protect payment account data. To put it simply, the PCI DSS standards are there to protect cardholder data. Developed and maintained by the PCI DSS council (founded by five of the largest card brands: American Express, Discover, JCB, Mastercard, and Visa), the PCI standards are a collaborative effort within the payments industry to uphold and protect the integrity of the payments system to ensure security for cardholders.

Compliance with PCI DSS involves several steps. The first step is identifying the systems and technology used for payment processing, also known as "scoping," and determining where any vulnerabilities lie. This process helps you understand the scope of your payment processing environment and identify areas that need improvement. The next step is securing your systems according to the PCI standards, addressing any vulnerabilities, and, if possible, eliminating any storage of cardholder data. Finally, you need to submit compliance reports to your acquiring banks and card networks, demonstrating that you have taken the necessary steps to comply with the PCI DSS requirements.

For PayFacs, maintaining ongoing PCI compliance is essential. The ability to uphold transparent data security protocols that are deemed compliant with PCI is what ultimately protects you and your sub-merchants from data compromise and its associated costs – from both a financial and brand integrity perspective. Regular assessments and transparent security protocols help protect both the PayFac and its sub-merchants. Compliance not only minimizes the risk of data breaches but also maintains trust and credibility.

Effective communication between a PayFac and its sub-merchants is critical for maintaining PCI compliance. Once the PayFac is educated on PCI compliance, it must pass on the education that is applicable to its sub-merchants. The sub-merchant must be mindful of what they are responsible for and why. The "why" is often the most challenging but also the most important. For both a PayFac and sub-merchant, knowing why the steps they are taking to protect cardholder data is important will give context and substance to the policies and procedures.

Repetition of compliant activities is pivotal to maintaining PCI compliance. Once the policies and procedures are in place, the next step is to ensure these become part of the normal business routine for both the PayFac and their sub-merchant. Regular training and reinforcement of security practices help ensure ongoing compliance.

The Future of PayFacs

The PayFac industry is poised for significant growth, with a projected compound annual growth rate (CAGR) of over 15% from 2022 to 2027. Key drivers include the rise of e-commerce and digital payments, accelerated by the COVID-19 pandemic. As businesses move online, the demand for seamless, secure payment solutions increases. PayFacs offer an efficient way for merchants to accept payments across various channels, including online, in-store, and mobile.

Technological advancements, such as embedded finance, are creating new opportunities for PayFacs to provide a more integrated experience. Security and compliance remain critical as PayFacs invest in robust measures to protect against cyber threats and adhere to standards like PCI DSS, enhancing trust and credibility.

Specialization is another trend, with PayFacs increasingly catering to specific industries like healthcare and e-commerce. This focus allows them to offer tailored solutions that better meet the unique needs of their clients.

Conclusion

Becoming a Payment Facilitator offers a strategic advantage in the digital economy. By understanding the steps involved and ensuring compliance with PCI DSS, businesses can streamline payment processes, reduce risks, and provide better services to their customers. The future of the PayFac industry looks promising, with continued growth, innovation, and a strong focus on security and compliance. As the demand for efficient and secure payment solutions continues to rise, PayFacs are well-positioned to play a crucial role in enabling businesses to thrive in the ever-evolving digital economy.